Browse by Tags

All Tags » XSS (RSS)

Ways you haven’t stopped my XSS, Number 2–backslash doesn’t encode quotes in HTML attributes

Last time in this series , I posted an example where XSS was possible because a site’s developer is unaware of the implications that his JavaScript is hosted inside of HTML. This is sort of the opposite of that, noting that time-worn JavaScript (and C...
Posted by Alun Jones | with no comments

Ways you haven’t stopped my XSS–Number 1, JavaScript Strings

I saw this again today. I tried smiling, but could only manage a weak grin. You think you’ve defeated my XSS attack. How did you do that? Encoding or back-slash quoting the back-slash and quote characters in JavaScript strings Sure, I can no longer turn...
Posted by Alun Jones | with no comments
Filed under: ,

In which a coffee store learns not to blacklist

I’ve been playing a lot lately with cross-site scripting (XSS) – you can tell that from my previous blog entries, and from the comments my colleagues make about me at work. Somehow, I have managed to gain a reputation for never leaving a search box without...
Posted by Alun Jones | with no comments
Filed under: ,

Playing with security blogs

I’ve found a new weekend hobby – it takes only a few minutes, is easily interruptible, and reminds me that the state of web security is such that I will never be out of a job. I open my favourite search engine (I’m partial to Bing , partly because I get...

Using URL anchors to enliven XSS exploits

I hope this is original, I certainly couldn't find anything in a quick bit of research on “Internet Explorer”, “anchor” / “fragment id” and “onfocus” or “focus”. [ Click here for the TLDR...
Posted by Alun Jones | with no comments
Filed under: ,

On new exploit techniques

Last year’s discussion on “ Scriptless XSS ” made me realise that there are two kinds of presentation about new exploits – those that talk about a new way to trigger the exploit, and those that talk about a new way to take advantage of the exploit. Since...
Posted by Alun Jones | with no comments

XSS Hipster loved Scriptless XSS before it was cool

I was surprised last night and throughout today, to see that a topic of major excitement at the Microsoft BlueHat Security Conference was that of “Scriptless XSS”. The paper presented on the topic certainly repeats the word “novel” a few times, but I...

NCSAM/2011–Post 17–SSL does not make your web site secure

I know, it sounds like complete heresy, but there it is – SSL and HTTPS will not make your web site secure. Even more appropriate (although I queued the title of this topic up almost a month ago) is this recent piece of news: Top FBI Cyber Cop Recommends...

Simplifying Cross Site Scripting / HTML Injection

Some simple statements about Cross Site Scripting / XSS / HTML Injection (all terms for the same thing): Ignore the term “Cross Site Scripting” as a confusing anachronism. Think “HTML Injection” whenever you hear “Cross Site Scripting”, and you won’t...
Posted by Alun Jones | with no comments

Cross-Site Scripting (XSS) – no script required

I’m going to give away a secret that I’ve successfully used at every interview I’ve had for a security position. “ Cross-Site Scripting ” (XSS) is a remarkably poor term for the attack or vulnerability (code can be particularly vulnerable to a cross-site...