Introduction Cross-Site Scripting (XSS) has been around for ages – with first incidents being reported in the late nineties. Despite the attack technique not being the most complex of all, XSS is not only still around in 2011 but has gained incidence and gravity. In many real life attacks XSS was used as an entry-door […]

You might have seen a blog post or came to the conclusion that urls are in fact valid JavaScript such as: http://thespanner.co.uk (label) (comment) That’s weird and cool but how do we execute JavaScript from the url? Something like: http://thespanner.co.uk\nalert(1) (label) (comment) (newLine) (functionCall) Trouble is the new line isn’t allowed inside the browser url […]

This is a very old technique I discovered years ago which I used to bypass a filter and it’s pretty awesome. It might come in handy to bypass a WAF or filter since it’s not public until now. First you need to understand (which you probably do) that the window object is the default object […]

Over the last few days I’ve finally fixed a data enumeration bug that was haunting a new feature in Shazzer. Originally Shazzer just mutated one character at a time to discover characters which influenced the fuzz vectors in interesting ways. I decided to expand that to include data. I called the feature “datasets” because you […]

I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After […]

HTML5 decided to introduce a load of new entities, I dunno why maybe they thought it wasn’t hard enough to protect against the original ones we had already. Anyway Firefox has a bug or “feature” that allows NULLS inside the entities. I tweeted it but if I don’t post it here it will probably be […]

The static HTML property allows you to get/set filtered HTML directly on the DOM object you’re using. The browser vendors don’t support this property yet, IE has a toStaticHTML function and Firefox via the Noscript plugin emulates toStaticHTML but doesn’t allow you to set/get directly, so I decided to create a JavaScript version that can […]

I had fun at OWASP Manchester, my talk went really well. Getting more confidence with talks now I think. I have a tendency to rush through and get ahead slightly sometimes but overall I did much better and had some great feedback along with some very interesting questions. Enjoy the slides! Here are my non-alphanumeric […]

Just a quick post to mention the excellent work by Norman Hippert aka @thewildcat, he successfully converted my Javascript based CSSReg into PHP. I was meaning to do this but never found the time so it’s pretty awesome that not only did thewildcat convert the code but found some nice bugs in my code and […]

It appears this unicode monster keeps chomping away at JavaScript parsers, this time it’s chrome. There was an excellent post from jack masa about JavaScript comments. In it he describes how chrome allows any character which ends in 2a or 2f \uxx2a+\u002f to be used as a “*” or “/”. Pretty crazy I’m sure you’ll […]