I like the topic of CSRF because it’s such a difficult problem to solve, I was thinking about ways a browser can prevent CSRF and I’ve come up with the following solutions:-
1. After a domain name any image/object/frame etc request is truncated by a user definable setting.
Limiting the amount of data an attacker can use [...]
I’ve been busy…real busy on Hackvertor so I thought it might be a good idea to explain the ideas behind it. Please note Hackvertor is currently only tested under Firefox. I may support other browsers in future.
What is it?
It’s many things: a conversion utility, browser hacking platform, targeted fuzzing tool, XSS filter testing tool [...]
I’ve decided to create a video demo of Hackvertor to display the new features I’ve added. The tool is quite powerful now and it is even able to solve my a bit of fun challenge. I didn’t want to waste the bandwidth of my server because of costs so sorry about the adverts displayed in [...]
I believe in releasing code as early as possible and often. So I’ve released another version of JSCK, the code isn’t a complete solution at the moment and is more of a proof of concept rather than a final version you can use on live sites but it highlights the method well and should provide [...]
I had a great idea to protect against CSRF, use my random Javascript creation technique! I already knew it was possible to use it in this way but I wanted a nice solution that anyone could incorporate into their site.
PHP first creates a random session key using random code blocks, then Javascript does the [...]
After the success of my “a bit of fun” challenge, a few people asked for some more challenges. So I was answering a question on a mailing list that I’m a member of and I thought it would be a good topic for a little challenge and help sharpen everyone’s regular expression skills.
The rules
Only one [...]
I’ve been busy catching up with some of the projects I’ve been working on and I’m pleased to announce a new version of Hackvertor, if you don’t know what it is check it out. It’s a useful tool to help with conversions and pen testing server side XSS filters. I decided to write the tool [...]
I’m pleased to announce that I have recently joined Blogsecurity which is fantastic news because I can work with some excellent people and develop free open source software which will help blogging security.
Wordpress Lockdown and WPIDS
We’ve already been working on a security plugin for Wordpress which combines my previously unreleased plugin WP Lockdown and [...]
Many developers often design their system security based on what the software does; this is a mistake you should always design a security system based on what your software might do. I’m quite surprised when people don’t understand this, I often think of potential scenarios and discuss flaws in a current implementation based on those [...]
Update…
Verisign have now fixed the vulnerability.
I’ve wrote about this before but I’m sure that some people might not know the risks involved, so I’ve created a demonstration of how to use CSS and iframe overlays to take any section of a web site and place it on any other web site. The user wouldn’t [...]