• Free Dr. Pepper Overloads Site, Exposes Captcha Key

    Free Dr. Pepper Overloads Site, Exposes Captcha Key

    I love Dr. Pepper. So when then announced they where giving it away for free I was all over it. Sadly though the site was not up to the task and was continually failing in new and wonderful ways. Everything from Service Unavailable to this piece of code poo: Start ‘, gmdate(”F j, Y, g:i:s…

    Read more...

  • When ISPs Attack!

    When ISPs Attack!

    Here is a scary story about a company, Nebuad (no link juice for you!) that performs a MITM attack all in the name of better ads. Now sniffing to get better data on your customers has been around for a while. In fact I worked at a company that did this as part of our offering. Where…

    Read more...

  • Bots + Web Vulnerabilites – An Approaching Storm

    Bots + Web Vulnerabilites – An Approaching Storm

    I called this one the day after the first wave of mass SQL Injection attacks came out. I told Jeremiah that we would see botnets doing this attack shortly as it was much more efficient.  A few weeks later and boom, Botnets performing mass SQL Injection. The interesting things about these attacks so far is what…

    Read more...

  • FBI CSRF and Jail How to Get Someone Raided

    FBI CSRF and Jail How to Get Someone Raided

    This seems pretty scary. Apparently the FBI posted a link on some online forum that claimed to display kiddy porn. The story is here. Upon reading this the first thing that popped into my mind was CSRF(Cross Site Request Forgery) Now this is not classic CSRF since CSRF generally implies I am exercising some functionality on…

    Read more...

  • The Big Announcement

    The Big Announcement

    I’ve not been this pumped about something in a long time. Jeremiah actually has been pulling me into liking this idea for a very long time. I hated it at first. I mean WAFs, bleh. Plus I mean didn’t we already try scanners + WAFs before? Oh yeah the total trainwreck that was AVDL. So one…

    Read more...

  • 5 Security Predictions for 2018

    5 Security Predictions for 2018

    1. We will see the first multi-website XSS worm. I think we will finally get a true cross site XSS work in 2008. Combining XSRFand XSS to propagate a worm across multiple sites and multiple domains. The first one will be benign but the others will be much more malicious in nature. Leading victim candidate are social network sites…

    Read more...

  • Mastercard.com NOT PCI Compliant

    Mastercard.com NOT PCI Compliant

    Someone has found an XSS vulnerability on mastercard.com. The place it was found, the search function, is a notorious location for XSS vulnerabilities. The XSS payload that triggers the vulnerability leads me to believe that there was a fair amount of filtering going on but I guess not enough. Who does Mastercard pay PCI penalties to?

    Read more...

  • SANS says the #1 Server Security Issue is Your Web Application

    SANS says the #1 Server Security Issue is Your Web Application

    The latest SANS Top 20 has been released and according to SANS the #1 issue impacting the security of your servers is the web application code that lives on top of it. I agree with them (in a totally biased way of course) but the data they cite leaves me with an uneasy feeling. SANS likes to…

    Read more...

  • Apple Blocks the Word Script

    Apple Blocks the Word Script

    Jordan Weins post about the exact problem with offensive defense systems on his blog How Not to protect your webap. Great job Apple, the word “script” is so evil I can’t do a search for Applescript. So would argue this is a good thing, especially if they have seen any of the Applescript I have written. This smells like someone…

    Read more...

  • ScanAlert – XSS is Cool with Us

    ScanAlert – XSS is Cool with Us

    Sometimes I just want to give up. I really hate XSS because it is really a tricky issue to explain to people that don’t understand.  It basically boils down to bad people using my website to compromise clients. What they do with those compromised clients can range from fairly benign replicating worms ,  phishing scams, all the way to total…

    Read more...

Recent Posts

Tags

There’s no content to show here yet.

Comments

  1. Hi, this is a comment. To get started with moderating, editing, and deleting comments, please visit the Comments screen in…