| Thursday October 23rd 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

‘xss’ Archives

HOWTO: Find anyone’s address from their router MAC address using undocumented Google Maps API

HOWTO: Find anyone’s address from their router MAC address using undocumented Google Maps API

Here is a proof of concept on obtaining *accurate* GPS coordinates of a user sitting behind a web browser via router XSS. The router and web browser themselves contain NO geolocation/GPS data. This is also not IP based geolocation. I'm not so amazed that a router firmware could be vulnerable to an XSS attack on the WAN facing GUI. Really [...]

Use Twitter? Turn off JavaScript… there’s bad XSS issues there being exploited right now

Use Twitter? Turn off JavaScript… there’s bad XSS issues there being exploited right now

So, I started seeing odd tweets in my timeline, it seems that posting a link like this: http://oh.no/@"onmouseover=";alert('XSS')" fails input validation, resulting in the script being executed when you mouse over the tweet. Note that you can inject pretty much any attribute this way, including style, letting your tweet use fixed [...]

4chan has field day with YouTube injection flaw

4chan has field day with YouTube injection flaw

Eager YouTube fans were greeted with annoying pop-ups, disabled comments, and even porn redirects over Independence Day weekend as they tried to scope out their favorite videos. A group of malicious pranksters (believed to be from 4chan) was able to take advantage of an cross-site scripting vulnerability in YouTube's comments Sunday, breaking [...]

Cross Site Scripting (XSS) Prevention Cheat Sheet

Cross Site Scripting (XSS) Prevention Cheat Sheet

This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by [...]

New XSS Attack Builds An Anonymous Network

New XSS Attack Builds An Anonymous Network

A pair of researchers has combined cross-site scripting (XSS) and anonymization techniques to build a framework that lets an attacker gather Web content incognito. "Our goal was to retrieve Web content anonymously," says Matthew Flick, principal with FYRM Associates, who, along with fellow researcher Jeff Yestrumskas, demonstrated the XSS [...]

MIME sniffing in Internet Explorer enables cross-site scripting attacks

MIME sniffing in Internet Explorer enables cross-site scripting attacks

Many large sites make special efforts to protect their visitors against possible JavaScript attacks, by, for example, implementing special filters that guard against active content, although most of them can't switch off their own active content – such as JavaScript, HTML code and Flash applets in profiles, blogs and forums. Most interactive [...]