| |
| Current Topic: Technology |
|
|
|---|
| Topic: Technology |
7:27 pm EDT, Jun 11, 2007 |
From the Ajax Security book: Data sharing with userData is extremely limited. You cannot share data between different domains or even sub domains of the root domain. You cannot share data with other web servers or services running on different ports of the same domain. You can only share data between web pages inside the same directory on the same For example, data stored by http:// company.com/Storage/UserData.html can be accessed by http:// company.com/Storage/Checkout.html or any other page inside the /Storage/ directory. Attempting to access data from other pages simply returns null. These are the default restrictions and they cannot be changed. This default closed policy is almost the exact opposite of the default cookie policy. This constitutes the lone good security decision in Internet Explorer 5.0.
|
|
Book Snip: The Absurdity of Cookie Storage |
|
|
|---|
| Topic: Technology |
2:05 am EDT, Jun 6, 2007 |
The follow is an excerpt from the upcoming Ajax Security book. It discusses a downside of using HTTP cookies as a persistent client-side storage system: they get appended to every appropriate HTTP request. To illustrate this more clearly, think of cookie storage like having to remember an errand to do after work by shouting it at the end of every sentence you say. It would sound something like this: Bryan: Hello Billy, what’s Shaking? Billy: Hey Bryan. Just finishing this chapter on offline Ajax. Pick up Red Bull On the Way Home! Bryan: ... ... Uhhhhh, Ok. Why are you shouting that at me instead of writing it down? Billy: Because I choose a poor client-side storage methodology. Pick up Red Bull On The Way Home! Bryan: ... ... Ok, this is just weird. I’m leaving. Billy: You should be glad I can only store 4K of data this way. Pick Up Red Bull On The Way Home!
Thats right, No silly appendices full of ASCII tables and RFCs. We replaced that crap with comedy. Extremely poor comedy :-) All writing and no play makes billy a dulllllllllllllllllllll boyyyyyyyyyyyyyyyyyyyyyyy. [sleeps] |
|
'The Most Beautifil Destruction...' |
|
|
|---|
| Topic: Technology |
12:29 pm EDT, Jun 4, 2007 |
Disclaimer: This is most likely just Pat messing around. I'm not claiming this story is true one way or the other. I'm just relaying a funny story I heard in last night in a bar. anyway... Optyx is in Atlanta for the week and we got some drinks with John Terrill last night. A good time was had by all talking about crypto, web apps, the homies on #vax, brushes with the law, security charlatans, and new opportunities. The night was finished with a stumbling tour of Pat and my old stomping grounds: Georgia Tech. If you don't know Optyx, he's forgotten more hacker stories then I'll ever have. The following is, as best as the beers will let me remember, the story of the Cray-2. I've tried to tell the story as close to the way Pat did. Any errors are the fault of Guinness So I was living in San Francisco working at a web hosting startup. A friend of mine at Lawrence Livermore National Laboratory gives me a heads up, saying they were decommissioning their Cray-2 super computer. I decided to buy it but the regulations said the lab had to hold a public auction to sell it. However, it didn’t say how far in advanced the time or place of the auction had to be published. Through some help from my friends at the lab an auction got setup where I was the only bidder. The auctioneer wasn’t in on the scheme and he opened the bidding at $2000. I looked around, saw I was the only guy, and said “$1000.” They sold me the Cray-2 for a grand and I took back to my house on Treasure Island in the back of a U-haul. A Cray-2 weights more than a ton so this was not an easy task. The big problem I had was how to power the thing. I hacked together a power converter and ran it off the 3 phase power outlet for the clothes dryer. But I had this girl roommate who used to complain about not being able to dry her clothes when she wanted because the computer was on. So the uptime of the super computer was dependent on the laundry habits of a roommate! After the first month, I got the power bill. It was $2200. I decided it was time to sell the Cray. Through a mutual friend, I found some .com yuppie who wanted to buy the Cray and use it as a couch. I sold it for around $3500 to recoup the cost of the machine and the power bill. I visited his house which was on the side of a hill in SF. You’d park in a 1 car garage underneath the house and used stairs to go up into it. It was like a big loft space on the 1st floor and that is where he decided to put the Cray-2. I asked him if his floor was reinforced because the Cray-2 weighted a ton. The yuppie said the house had steel floor beams and not to worry. I broke the Cray down for shipping (which consists of breaking it into 300 pound pieces you move around with a pallet dolly) and delivered it to his house. The stairs were really steep but with the help of a bunch of friends we got each piece into the house. I set it up for him in the living room but didn’t plug it in. About 3 days later I get a call from the mutual friend. The Cray-2 broke through the floor causing serious damage to the house. It fell down into the garage and crushed the yuppie’s month old BMW 7 series. I immediately left work and went to the yuppie’s house. It was the most beautiful destruction I have ever seen. A destroyed super computer on to of the crushed remains of a beautiful car. Most of the Cray looks like it had landed on the hood of the car just in front of where the windshield would be. The impact almost sheared the front of the car from the passenger compartment. It appears that the Cray then fell backward on top of the rest of the car, crushing it. Both axels were broken and there was glass everywhere. And that was the story about how I owned a Cray-2 super computer for a month and a half.
|
|
|
|---|
| Topic: Technology |
2:32 pm EDT, May 30, 2007 |
Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database.
DOMinatrix: Spanking the DOM the way the DOM likes it! I'd like to thank Dan Kaminski for the suggestion. He came up with the name and challenged me to come up with the spanking victim. You'll see it at Blackhat. |
|
|
|---|
| Topic: Technology |
11:35 am EDT, May 29, 2007 |
Hello all, Just a reminder that we've got a call today at 2 Eastern, 11 Pacific. I'm attaching below a list of Web research methods compiled by the security pros in our group. The agenda for today is to get a feel for how the law might interpret these actions, and how likely criminal prosecution would be.
Today is going to be a good day :-) |
|
|
|---|
| Topic: Technology |
1:49 pm EDT, May 27, 2007 |
A remote user can send specially crafted data to trigger a buffer overflow in the UPnP Internet Gateway Device Standardized Device Control Protocol code and execute arbitrary code on the target system. The code will run with the privileges of the target service.
"privileges of target service" == root Apple credits Michael Lynn of Juniper Networks with reporting this vulnerability.
Mike's fuzzing DNS again which is oh so Dan Kaminski-esque. update: My name is Billy, and I am retarded. This is UPnP. Too much Book, not enough sleep. Remote root in Mac OS-X |
|
|
|---|
| Topic: Technology |
4:04 am EDT, May 22, 2007 |
Canonicalization, much like life, is a bitch. Yet another way higher character encodings get downgraded into lower character encodings, bypassing IDS/IPS signatures. Oh course, this is just another example of the fundamental problem: IDS aren't looking at the same bytes the destination service is looking at. Arian Evans does a good job scoping this: Somewhere along the path from HTTP protocol --> to app untrusted entry point --> to parser, there are several possible layers of decoding. These could include: -Web Sever itself
-Web Server plugin
-Canonicalization in framework (e.g.-some .NET modules)
-Canonicalization steps in web app code.
-Decoding and interpretation by shellscripts and the like.
-Decoding certain encoding types for normalization (see this a lot in PHP, or cookies base64 file-system encoded, etc.)
-etc. This means that: It is possible for an app to have one or more layers of canonicalization/conversion, allowing for even crazy things like double and triple-encoding, which IDS/IPS do not handle at all over HTTP
My homies in X-Force are going to have a shitty day tomorrow... ... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer. Web hackers 9999, IDS 0 |
|
|
|---|
| Topic: Technology |
1:47 pm EDT, May 17, 2007 |
Microsoft's blog on JScript development JScript Blog |
|
Efficient JavaScript - Opera Developer Community |
|
|
|---|
| Topic: Technology |
1:45 pm EDT, May 17, 2007 |
Traditionally, a Web page would not contain much scripting, or at least, not much that would affect the performance of that Web page. However, as Web pages become more like applications, the performance of scripts is having a bigger effect. With more and more applications being developed using Web technologies, improving the performance of scripts is becoming increasingly important.
JavaScript optimization is cool. Automated optimization would be 1337. Efficient JavaScript - Opera Developer Community |
|
