RETURN $ecure;

RSnake has writte up an excellent post on stealing a users browsing history without the use of Javascript. Apparently though, there was an obscure, though similar paper written before this. According to Mephisto in the comments, this detects history through multiple instances
of the browser. Probably because the browser gets updated and the site is 
using the visited: CSS if you visit it in once instance. Anyways, interesting stuff. Don’t forget to get the XSS book tomorrow!

Also, I’ve set up a new forum on one of my spare machines.
It’s not particularly secure right now as it’s using Debian packages. They tend to be a little out of date. But at least it’s stable. I’ll be making semi-regular backups, so it won’t be a huge issue if it’s hacked. Assuming your DNS updated by the time you read this, it should be at Kyran.ca. You’ll probably also notice the banner on the right. Yup. Easier sign-up for e-mails @kyran.ca

I’ve set up a few things today. First off, a Ventrilo server. Connect to it using the default port and hostname ‘kypvp.servegame.com’. Since it’s the standard server and not the ‘pro’, it’s limited. I might change over to TS at a later point.

Also, I have setup e-mails using my domain and  Custom Domains from Windows Live. So, if you want an e-mail@kyran.ca using the Windows Live Mail network, toss me a message.

I also have a Hamachi network set up. kynet and kynet2. If you want to come and play a few rounds of Starcraft or Warcraft, again, drop me a message. I’ll send you the password to the Hamachi networks.

Anyone have any ideas for other things I should setup?

 There was an article going around on a few sites today about Acunetix stating that 70% of websites are at immediate risk of being breached. Soon after, Joe Snyder not only disputed this claim, but bet Acunetix 1000$ they couldn’t compromise 3 out of 10 sites. I could use a thousand bucks and I bet even randomly selected I could get at least 5 out of 10 sites. RSnake wrote a post with a bit more info.

Also, Iwatsu selected Opera for use in their new VoIP phone. From the press release,

PRECOT (Premium Communication Tool) is a next generation solution over a broadband IP connection for the enterprise market. With Opera, PRECOT users can access Web mail or any Web page from the convenience of their screen phones.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

Too bad I dislike phones.

I won’t be blogging about security nearly as much for the next while. Instead, I’ll be taking the technology route as well as making the occasional more personal post. There will still be my opinions on major things in the security world, but I won’t really be contributing much(Have I ever? haha). I just think right now my time can be spent elsewhere. Nothing particularly interesting is going on right now. C’mon, even RSnake has resorted to reading a gigantic click fraud report and making comics.(Funny ones I might add. There are more on the forums.) I’m not sure if that’s because he’s bored or there really is nothing going on in webappsec, but regardless I’ve been looking for an excuse to drop some time consuming part of my life and security is going to be it for now.

Though it does seem there are interesting discussions about WAFs, even if it’s not particularly new, it sure is interesting. I’ve said it before and I’ll say it again, webappsec will and should follow the footsteps of network security. Although since a large portion of webappsec is probably social engineering, I don’t think it will all ever be solved. We can patch software, not humans.

Oh and it seems that Opera really is everywhere.

Here it is.

I just wrote a paper exclusively for SudoLabs.com. It’s about the worm I wrote targeting GaiaOnline.com,

aptly named ”gaiaworm”. This is the third version of the worm and the first time I’ve ever really written a paper.

Edit 1 – If you link to the paper, link to the blog post instead. I will be updating with links to who has published it as well as other updates. Thanks.

Edit – XSSed.com now has a copy of it. View it here.

– Edit 3, Apparently SudoLabs forums are dead for now. View the XSSed.com copy above!

Soon I’ll be releasing a small paper to Sudolabs.com and XSSED.com

Keep an eye out.

I figured this would happen for awhile, then he told us he was working on it, but here it finally is!

RSnake(a.k.a. Robert Hansen) has literally written the book on XSS. Well, he is a contributer as well as Seth Fogie, Jeremiah Grossman and Anton Rager. I’m really excited about this. According to the Amazon.com description, it covers the basics as well as some of the more bleeding-edge stuff. It’s set to release March 1, 2007.

You should go pre-order it now. I know I’ll be picking this up.