gaz: omg more epic fail in IE 😀 larry: huh? 😀 gaz: what is “A” in IE compat? larry: hm A? gaz: no larry: ? gaz: lol ? larry: NUL ? gaz: A –> ? A –> A larry: ah! out of bounds I get it gaz: what is this in IE compat: &#x41 larry: […]

The DOM is a mess. In an effort to support legacy quick short cuts such as “form.name” etc the browsers have created a Frankenstein monster. This is well known of course but I just wonder how far the rabbit hole goes. I’m gonna share what I discovered over the years. HTML Collections First up is […]

I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection […]

I started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have […]

I was meaning to write about this for a while because it just shows how little people care about what they include on their web site. I’m not saying I’m perfect I’ve included vulnerable JavaScript on my own sites but I have at least noticed when I find a vulnerability and fix it or remove […]

Introduction Cross-Site Scripting (XSS) has been around for ages – with first incidents being reported in the late nineties. Despite the attack technique not being the most complex of all, XSS is not only still around in 2011 but has gained incidence and gravity. In many real life attacks XSS was used as an entry-door […]

You might have seen a blog post or came to the conclusion that urls are in fact valid JavaScript such as: http://thespanner.co.uk (label) (comment) That’s weird and cool but how do we execute JavaScript from the url? Something like: http://thespanner.co.uk\nalert(1) (label) (comment) (newLine) (functionCall) Trouble is the new line isn’t allowed inside the browser url […]

This is a very old technique I discovered years ago which I used to bypass a filter and it’s pretty awesome. It might come in handy to bypass a WAF or filter since it’s not public until now. First you need to understand (which you probably do) that the window object is the default object […]

Over the last few days I’ve finally fixed a data enumeration bug that was haunting a new feature in Shazzer. Originally Shazzer just mutated one character at a time to discover characters which influenced the fuzz vectors in interesting ways. I decided to expand that to include data. I called the feature “datasets” because you […]

I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After […]