Persistent CSRF and The Hotlink Hell

When we talk about CSRF we often assume that there is one kind only. After all, what else is in there when CSRF is all about making GET or POST requests on behalf of the victim? The victim needs to visit a page which launches the CSRF exploit. If the victim happens to have an established session with the exploited application, the attacker can perform the desired action like resetting the login credentials, for example. [...]

more | comments | comments rss | posted by

Author of the XSS Book

It is probably about time to announce that I am one of the authors of the upcoming XSS Book, RSnake talked about a month ago on his blog. The complete list of authors is: Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager and Petko Petkov (a.k.a me).

The book is going quite well and I hope that it will provide a good starting point for those who are interested in getting into client-side web security but don’t know much about it. [...]

more | comments | comments rss | posted by

Playing in Large

When you are restricted by the size of input, you have to think about the smallest possible unit that can expand to something that is much bigger. In traditional buffer overflow vulnerabilities attackers take advantage of various packaging techniques. Sometimes, the overflow crack is so small that only 140-160 bites (figuratively speaking) of data can squeeze in. [...]

more | comments | comments rss | posted by

JavaScript Remoting Dangers

I’d like to thank pdp for giving me the opportunity to write a blog post. I’d like to use this post to discuss the various methods JavaScript can use to make HTTP requests. Each method has its own pros and cons that lend themselves to be used in different situations. We will ignore using JavaScript coupled with extra technologies such as Java applets or Flash and focus entirely on native JavaScript objects (or objects provided through ActiveX) and the DOM environment. [...]

more | comments | comments rss | posted by


WormX is a collection of various notorious web worms mostly written on the top of popular client-side technologies and propagating primarily on social networking web sites.

For those of you who do not know what ajax worms are, here is a bit of Internet history:

If you want to submit a worm, we are going to need the following information:

Worm name – It must be enclosed inside <h3>[atom name here]</h3> tags. [...]

more | comments | comments rss | posted by

Atom Database

The purpose of this project is to collect useful attack snippets (atoms) which can be employed when performing WEB Application Security testing. Atom submissions must follow certain format which is:

Atom name – It must be enclosed inside <h3>[atom name here]</h3> tags.
Atom description – It must start on a new paragraph.
Atom code – It must be enclosed inside <pre><code>[atom code here]</code></pre> tags. [...]

more | comments | comments rss | posted by

CSRF-ing Blogger Classic

In Blogger Classic, admin users who originally created a blog can be removed by other admin users. This behavior allows for a complete and non-reversible hijack of a Blogger Classic blog through CSRF/XSRF/session riding/one-click attacks.

The process is a two shots attacks, meaning that the victim admin user needs to click on two different links while being authenticated. Due to the nature of blogging, in which admins go through the comments posted by visitors, this attack is very feasible. [...]

more | comments | comments rss | posted by

Cross-site Request Forgery

CSRF or Cross-site Request Forgery sounds quite self-explanatory. This is an attack vector that gives malicious sites the ability to send a (forged) request from its context to a different site. The purpose of this attack vector is to act on behalf of the current user in order to gain control of his/her account or perform other types of malicious activities.

This may sound a bit difficult to imagine but in practice it is quite simple. [...]

more | comments | comments rss | posted by

Automated XSS Detection

Automation – it is the power to change the boring repetitive task into something that is more fun. Automation is also what I seek when I do security research or penetration testing. If there is a security vulnerability; we write an exploit for it. If there is a known method of exposing thousands of machines to malicious attacks; we write a worm for it or at least a vulnerability assessment engine. [...]

more | comments | comments rss | posted by

Backdooring MP3 Files

Recently I published information on how specially crafted HTML (remote and local), Flash and QuickTime (.mov) files can be used by malicious users to target and exploit internal and external networks. Than my friend and college David K released his findings on backdooring PDF documents via builtin Adobe Reader JavaScript features. Also, JavaScript malware via Google AJAX Search API seams to be possible and could affect many popular web products. As Billy Hoffman said XSS is the new hotness!. [...]

more | comments | comments rss | posted by