Over the course of the last couple of days, I’ve been heavily attacking various file upload facilities including but not only embedded devices configuration and firmware upload interface. Some of the setups, I’ve encountered, were pretty secure while others where quite easy to hack into. And this is how I came up with a technique for performing remote file upload attack via a third-party entity such as an authorized user. [...]
XSS is the New Buffer Overflow, JavaScript Malware is the New Shell Code.
XSS Attacks - Cross Site Scripting Exploits and Defence is a book project that I was involved into, together with Jeremiah Grossman, Robert RSnake Hansen, Anton Rager and last but not least, Seth Forgie - technical editor and coauthor. I must say, that the project was a lot of fun mashed with hard work and numerous sleepless nights. [...]
It is probably about time to announce that I am one of the authors of the XSS Book, RSnake talked about a month ago on his blog. The complete list of authors is: Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager and Petko Petkov (a.k.a me).
The book is going quite well and I hope that it will provide a good starting point for those who are interested in getting into client-side web security but don’t know much about it. [...]
Backframe is a full-featured attack console for exploiting WEB browsers, WEB users and WEB applications. Backframe was started as a pet projected called Backweb. Because Backweb is a registered trademark of Backweb Technologies, the application name has changed to what it is today.
Backframe is very extensible attack console, resembling all features from a class of tools known as XSS proxies. The actual framework contains a lot of more features. [...]