RETURN $ecure;

Security, Technology and Life

Archive for February 2007

Stolen history without Javascript and some news

with one comment

RSnake has writte up an excellent post on stealing a users browsing history without the use of Javascript. Apparently though, there was an obscure, though similar paper written before this. According to Mephisto in the comments, this detects history through multiple instances
of the browser. Probably because the browser gets updated and the site is 
using the visited: CSS if you visit it in once instance. Anyways, interesting stuff. Don’t forget to get the XSS book tomorrow!

Also, I’ve set up a new forum on one of my spare machines.
It’s not particularly secure right now as it’s using Debian packages. They tend to be a little out of date. But at least it’s stable. I’ll be making semi-regular backups, so it won’t be a huge issue if it’s hacked. Assuming your DNS updated by the time you read this, it should be at Kyran.ca. You’ll probably also notice the banner on the right. Yup. Easier sign-up for e-mails @kyran.ca

Advertisements

Written by Rodney G

02/28/2007 at 9:49 pm

Posted in Uncategorized

Tagged with ,

A thousand dollars and a fancy phone.

with one comment

 There was an article going around on a few sites today about Acunetix stating that 70% of websites are at immediate risk of being breached. Soon after, Joe Snyder not only disputed this claim, but bet Acunetix 1000$ they couldn’t compromise 3 out of 10 sites. I could use a thousand bucks and I bet even randomly selected I could get at least 5 out of 10 sites. RSnake wrote a post with a bit more info.

Also, Iwatsu selected Opera for use in their new VoIP phone. From the press release,

PRECOT (Premium Communication Tool) is a next generation solution over a broadband IP connection for the enterprise market. With Opera, PRECOT users can access Web mail or any Web page from the convenience of their screen phones.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

Too bad I dislike phones.

Written by Rodney G

02/14/2007 at 10:33 am

Posted in Uncategorized

Tagged with , ,

[Paper] Anatomy of a Worm

with 2 comments

Here it is.

I just wrote a paper exclusively for SudoLabs.com. It’s about the worm I wrote targeting GaiaOnline.com,

aptly named “gaiaworm”. This is the third version of the worm and the first time I’ve ever really written a paper.

Edit 1 – If you link to the paper, link to the blog post instead. I will be updating with links to who has published it as well as other updates. Thanks.

Edit – XSSed.com now has a copy of it. View it here.

— Edit 3, Apparently SudoLabs forums are dead for now. View the XSSed.com copy above!

Written by Rodney G

02/10/2007 at 1:26 am

Posted in Uncategorized

Tagged with

Keep an eye out.

leave a comment »

Soon I’ll be releasing a small paper to Sudolabs.com and XSSED.com

Keep an eye out.

Written by Rodney G

02/9/2007 at 12:59 am

Posted in Uncategorized

Tagged with

Cross-Site Scripting : The book!

with one comment

I figured this would happen for awhile, then he told us he was working on it, but here it finally is!

RSnake(a.k.a. Robert Hansen) has literally written the book on XSS. Well, he is a contributer as well as Seth Fogie, Jeremiah Grossman and Anton Rager. I’m really excited about this. According to the Amazon.com description, it covers the basics as well as some of the more bleeding-edge stuff. It’s set to release March 1, 2007.

You should go pre-order it now. I know I’ll be picking this up.

Written by Rodney G

02/6/2007 at 10:21 am

Posted in Uncategorized

Tagged with