It’s quite difficult to protect against CSRF because you are performing actions on the attackers behalf, there are a couple of things you can do to help protect against it and I shall explain a couple of methods here. Form tokens Form tokens can be used to make it more difficult for an attacker to […]
Archives for the Month of August, 2007
Keeping safe online
Friday, 17 August 2007
Ok I apologise for the cheesy title but it’s all that I could think of 🙂 a mate of mine asked me to do a post on how to protect your browser when you’re online so here goes. First off it’s impossible. That’s right impossible, you can’t make your browser 100% secure, all you can […]
Safari beta zero day
Friday, 17 August 2007
Apple annoy me or rather their security attitude annoys me. I told them about a vulnerability months ago, I persisted and told them again. I got a generic reply from them saying:- ——————————– Hello, Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security problem very […]
Random Javascript and PHP generation
Wednesday, 15 August 2007
This code was based on a CAPTCHA I wrote but it could be useful in other areas such as comment spam protection. The idea is that a few random code blocks are generated on the client and server side, so each language (PHP, Javascript) has the same code. For example:- num = 1330; for(i=0;i
Open source security tools
Tuesday, 14 August 2007
I have reached the required comment level for my JSFuzzer, if you weren’t aware of my experiment it was simply to have people comment on my post before I released the source code [1]. I know it might sound silly but in fact it enables the project to attract attention and also humans by their […]
Firefox weird javascript execution
Monday, 13 August 2007
I’ve been reading sla.ckers quite a lot recently and I found a interesting topic on there were rsnake describes Firefox strange Javascript execution vectors which I wasn’t aware of. I thought I’d share them with everyone because I’m sure you’ll find them of interest. 1. First off there’s the double // which allows you to […]
Open source as a reward for the JS Fuzzer
Tuesday, 7 August 2007
Did you like my JS Fuzzer? If you did, then leave a comment here and when the site reaches 30 unique comments for this post I shall release the source code. You can then run it for as long as you want on your own server. Once the source code is released I shall be […]
1and1 suck
Monday, 6 August 2007
I’ve be implementing some mod_rewrite tricks learnt from Ronald and I was trying to get them working on my 1and1 server. I’ve just finished a conversation with a tech guy at 1and1 and the it went something like this:- Me:Hi I’ve been trying to get a few mod_rewrite rules going on my server but I […]
More Javascript fuzzing
Sunday, 5 August 2007
I’ve rewrote my Javascript fuzzer to include more options, this one allows you to choose events, html attributes and various quote options. If you have any suggestions or attributes/events you would like me to include then please leave a comment. The fuzzer also now has the branding of my site that I recently redesigned. Update… […]
IE7 javascript echo
Friday, 3 August 2007
This is a strange one, I’ve no clue why IE7 does this but it appears to execute and echo javascript using multiple : Check it out: Echo javascript