Author Archive

Introducing Shazzer: A shared online fuzzer

I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After [...]

Breaking feeds

This should break my feed and anyone else who syndicates my feed and doesn’t filter 0×05 That’s it LOL. Hope you enjoyed it but I doubt you read it. 

HTML scriptless attacks

Following up on @lcamtuf’s post about a “post xss” world. I thought I’d chip in with some vectors he missed. The textarea consumption technique he mentioned isn’t new and wasn’t invented by “Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson.” it was openly discussed on sla.ckers for many years (as usual) but anyway [...]

NULLs in entities in Firefox

HTML5 decided to introduce a load of new entities, I dunno why maybe they thought it wasn’t hard enough to protect against the original ones we had already. Anyway Firefox has a bug or “feature” that allows NULLS inside the entities. I tweeted it but if I don’t post it here it will probably be [...]

staticHTML property

The static HTML property allows you to get/set filtered HTML directly on the DOM object you’re using. The browser vendors don’t support this property yet, IE has a toStaticHTML function and Firefox via the Noscript plugin emulates toStaticHTML but doesn’t allow you to set/get directly, so I decided to create a JavaScript version that can [...]

Non-alpha JavaScript and PHP slides

I had fun at OWASP Manchester, my talk went really well. Getting more confidence with talks now I think. I have a tendency to rush through and get ahead slightly sometimes but overall I did much better and had some great feedback along with some very interesting questions. Enjoy the slides! Here are my non-alphanumeric [...]

We need @ urls

Just thought I’d post the obvious and state we need @ urls. At the moment when using @ the browser assumes you want to use ftp on the site in question but I propose when using a url that begins with @ it should default to your chosen social network. @uid would resolve to twitter.com/uid [...]

Non alphanumeric code in PHP

So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107″ and add the backslash to the [...]

Protecting against XSS

The problem as I see it Where to start? Let me start by telling you that most of the books you read are wrong. The code samples you copy of the internet to do a specific task are wrong (the wrong way to handle a GET request), the function you copied from that work colleague [...]

PHP CSSReg

Just a quick post to mention the excellent work by Norman Hippert aka @thewildcat, he successfully converted my Javascript based CSSReg into PHP. I was meaning to do this but never found the time so it’s pretty awesome that not only did thewildcat convert the code but found some nice bugs in my code and [...]