U R Insecure – how URI exploits are changing the webappsec landscape

This article is about the recent activities and research that have been undertaken around the area of uri handler implementations in modern browsers. It is also about the tremendous security problems that were discovered as a result of that. And it is also about the ways application developers can protect their users from the raising threat.

Once upon a time…

Browsers have URI handling features for quite some time now. [...]

more | comments | comments rss | posted by

Interview with XS-Snipers

Q: How did you discover the potential of URI handler research?

Billy was eating a peanut butter and jelly sandwich and a big glob of peanut butter fell on the keyboard and typed res:// and pushed enter into his IE window. No, seriously, Rios discovered some interesting stuff with the res:// URI, shortly there after I discovered some articles around the ms-its:// URI and figured this may be an avenue of attack. [...]

more | comments | comments rss | posted by