kuza55.blogspot.com
Web Security Research» Alex's Corner: Is framework-level SQL query caching dangerous?
http://kuza55.blogspot.com/2008/08/is-framework-level-sql-query-caching.html
Sunday, August 03, 2008. Is framework-level SQL query caching dangerous? I was in a bookshop a few months ago and picked up a book about Ruby on Rails, and though I sadly didn't buy it (having already bought more books than I wanted to carry) and I've forgotten it's name, there was an interesting gem in there that stuck in my head. But in any case, it still seems dangerous. Assuming that flushing the cache is fairly granular operation (or there is very little activity on the table or users are stored as ...
kuza55.blogspot.com
Web Security Research» Alex's Corner: April 2008
http://kuza55.blogspot.com/2008_04_01_archive.html
Saturday, April 12, 2008. How much do you trust your DNS operator? TechCrunch recently broke a story about Network Solutions hijacking users' unused subdomains for advertising. It seems to have only applied to people using Network Solutions for their shared hosting, and seems to have been removed now. (None of the IPs I tested on the same machine returned advertising for their non-existent subdomains) And on top of that we know that anyone who is on shared hosting is pretty easy pickings. Now you may tru...
kuza55.blogspot.com
Web Security Research» Alex's Corner: Using TinyURL For Storage (includes PoC)
http://kuza55.blogspot.com/2006/12/using-tinyurl-for-storage-includes-poc.html
Saturday, December 30, 2006. Using TinyURL For Storage (includes PoC). Note: To skip to the PoC click here. I recently read the following post about trying to write something that took advantage of pdp's article of using tinyURL for storage: http:/ michaeldaw.org/news/news-221206/. Sadly at the time I hadn't actually read pdp's article ( http:/ www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/. But that still leaves us with the problem of having a cross-domain browser security policy, whereby we can't...
kuza55.blogspot.com
Web Security Research» Alex's Corner: January 2008
http://kuza55.blogspot.com/2008_01_01_archive.html
Saturday, January 19, 2008. 24c3 Presentation and Research. I did a presentation entitled Unusual Web Bugs. A few weeks ago, for which you can find slides and video for on the first link. However, since some of the things I presented were some of my own research which I haven't posted anywhere, I'll write a couple of posts about that in the next couple of days. There isn't too much though, so there's no need to get your hopes up, and if you've seen the video, you already know it. Links to this post.
dicyder.uncc.edu
DICyDER People
http://dicyder.uncc.edu/people.htm
Gorrell P. Cheek. Christopher G. Hudel. Dr Bei-Tseng (Bill) Chu. PhD (`06), Vice president at Cayptix Security. PhD (`05), Assistant professor at New Mexico Tech. PhD (`05), Senior Software architect at Nutech Solutions. MS (`07), Yahoo! MS (`06), Wachovia. MS(`06), Bank of America.
kuza55.blogspot.com
Web Security Research» Alex's Corner: XSS-ing Firefox Extensions
http://kuza55.blogspot.com/2008/07/xss-ing-firefox-extensions.html
Sunday, July 27, 2008. EDIT]:It turns out I fail at testing things on the latest version, see comments for some more details, sorry about that Roee.[/EDIT]. Roee Hay recently posted a blog post on the Watchfire blog about an XSS bug in the Tamper Data extension. It was posted much earlier, but removed quickly; RSS is fun), however when he assessed the impact he was wrong. The context of the window is still within the extension, and so by executing the following code you can launch an executable:. Firefox...
kuza55.blogspot.com
Web Security Research» Alex's Corner: June 2008
http://kuza55.blogspot.com/2008_06_01_archive.html
Sunday, June 08, 2008. Web Browsers and Other Mistakes. If anyone's interested, I uploaded my Bluehat slides here: http:/ www.slideshare.net/kuza55/web-browsers-and-other-mistakes-presentation/. View online) and here: http:/ www.slideshare.net/kuza55/web-browsers-and-other-mistakes-presentation/download. Hopefully you get something out of them. Sunday, June 08, 2008. Links to this post. Subscribe to: Posts (Atom). As such it will most likely not be updated very often. Web App Sec Blogs. Hack In The Box.
kuza55.blogspot.com
Web Security Research» Alex's Corner: October 2007
http://kuza55.blogspot.com/2007_10_01_archive.html
Friday, October 12, 2007. Detecting Firefox Extensions Without Javascript. Ascii recently posted a piece on detecting whether Javascript execution is disabled due to it being disabled through Firefox or through NoScript, by abusing NoScript's redirection code here: http:/ www.ush.it/2007/10/11/detect-noscript-poc/. If we take a look at how Firefox resolves conflicts between duplicate definitions for the same class (and probably for the same id) then we notice that Firefox simply uses the latter definition.
kuza55.blogspot.com
Web Security Research» Alex's Corner: Licensing Content
http://kuza55.blogspot.com/2008/07/licensing-content.html
Monday, July 21, 2008. Now, I am not a lawyer (so I don't know what information can be licensed and what can't), but as far as I know the fact that I have specified no license for the use of content on this blog does not mean it is public domain, or similar. So, I just wanted to make a quick post about what license the content of this blog is provided under. All the information on this blog is DUAL LICENSED,. 2 In the case you plain to use it for any other purpose, e.g.:. D make any profit from it. I wil...
SOCIAL ENGAGEMENT