Showing posts with label links. Show all posts
Showing posts with label links. Show all posts
Sunday, March 08, 2009
Tweet Tweet!
Have not been able to blog much lately, but have been doing more of microblogging on Twitter. So...you can follow me there ;)
Wednesday, February 04, 2009
Frustrated by a coworker’s use of old-school programming techniques
Saw this article in TechRepublic, and it's pretty good actually.
Though it talks about working with coworkers who code really differently, the human aspect of handling this problem can be just about applied anywhere also.
Monday, February 02, 2009
Academic Earth
Here's another endeavour to bring free education out to the masses. Good mission, I'd say :)
Thursday, January 15, 2009
TODO: Check out XSS Proxy
Some things to check out when I have a bit of time to spare:
Oh yeah, and this is a real gem :)
Server/network admins be warned...XSS can be really bad for you too...
Thursday, May 29, 2008
Cool hack: Man exploits random deposit verification flows to steal $50,000
This is really really impressive, though on a serious note it's not that funny for a system to be so poorly designed and implemented.
Link: http://www.cgisecurity.com/2008/05/12
Link: http://www.cgisecurity.com/2008/05/12
Tuesday, May 27, 2008
Suggestive
Was looking for the meaning of the word "obviate" on the net, and I found this ad in one of the sites. Really really suggestive..
For your info, the word obviate means to do away with something (unnecessary).
For your info, the word obviate means to do away with something (unnecessary).
Thursday, May 15, 2008
Wednesday, May 14, 2008
Click Crime
I seldom write about articles that I read, preferring to share them in my Google Reader or put the link in my Twitter. But I'll make an exception here:
http://www.securityfocus.com/columnists/471
Mark Rasch gives a very good description on "criminal honeypots" some of it's possible implications worldwide if implemented on a larger scale. The difference between setting up a trap and entrapment is talked about here also.
From the web application security perspective, it would be possible to frame someone else not only by using social engineering, but also even attacks like this:
http://www.securityfocus.com/columnists/471
Mark Rasch gives a very good description on "criminal honeypots" some of it's possible implications worldwide if implemented on a larger scale. The difference between setting up a trap and entrapment is talked about here also.
From the web application security perspective, it would be possible to frame someone else not only by using social engineering, but also even attacks like this:
- Create javascript code in a site that you control that exploits CSRF weaknesses in the criminal honeypot. Wait for the target to access your site and "click" the link automatically.
- Create a site that's linked to your target somehow, and get many many people to click on the link (to the criminal honeypot) that you put in the site. The FBI sees the referrals from that site, and traces it to your victim.
Wednesday, April 16, 2008
Google XSS
Billy Rios has published one that he found in Google. Pretty exciting eh (not in the wrong way!) =O
Netcraft has a shorter version of the details also. Quoted below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Netcraft has a shorter version of the details also. Quoted below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.
The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.
When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.
Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.
Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.
Friday, April 11, 2008
Tuesday, April 01, 2008
Chickenfoot for Firefox
Chickenfoot is a Firefox extension that puts a programming environment in the browser's sidebar so you can write scripts to manipulate web pages and automate web browsing. In Chickenfoot, scripts are written in a superset of Javascript that includes special functions specific to web tasks.
Tuesday, March 18, 2008
Send e-mail with your Cisco router
A helpful tool network admins could use for alerting: configuring your Cisco router to send emails.
Bridging the Designer-User Gap
From Jakob Nielson's Alertbox. A good read for anyone involved (even minimally) in user interface design.
Subscribe to:
Posts (Atom)
