Posts tagged with "security"
Notes on contentEditable and HTML injection

In the bad old days, all user-supplied text in a web page was entered using one or other form element, input for short texts such as names, and textarea for texts that may span multiple lines, such as comments or user feedback. These elements, while extremely useful and serviceable, didn’t always fit in with the webpages they occupied, and had no capacity for WYSIWYG editing of formatted text. But now, using the contentEditable attribute (one of HTML5’s many innovations) almost any element on the page can be used for user-supplied...

Password strength

So here’s something most people in the know will tell you about setting a strong password: length beats complexity. A 30 character password made up entirely of lowercase letters is going to be more difficult for an attacker to break (whether by brute force guessing passwords on an online login page or cracking password hashes compromised in a data breach) than an 8 character password with the requisite mix of upper case and lowercase letters, numbers and special characters. What’s really convenient and almost mind-blowing about this is the...

Notes on CSRF and the ASP.NET ViewState

In principle, Cross-Site Request Forgery is a pretty straightforward kind of website vulnerability. Easy to test, common, and not trivial, but also not very severe. I send a request to a website to perform some action on my behalf.The website understands the action I want to perform by the data contained in my request: which URL it’s going to and what GET or POST parameters it’s carrying. It understands who I am by looking at my session cookie, a separate piece of data which I get when I log on and...

Directory persistence hack for webshells

The scenario: you’re busy pen testing a webapp and you get code execution somehow. Probably with a dinky little webshell like <?php echo shell_exec($_GET['e']); ?>. For whatever reason, you can’t get or don’t feel like getting something more sophisticated. But the one thing that really irritates you is having to cd through to the directory you want with every new command. Well, here’s a little Ruby script that will do that for you, literally by remembering every single one of your cds and prepending them, in order, to all...

Notes on CSRF and JSON APIs

This is going to be a schizophrenic blog post. I’m still not quite sure who I wrote it for. The first part explains what CSRF is in some detail, and the second part goes into technicalities about a particular brand of CSRF. So if you know what CSRF and possess no delusions about the security of POST parameters, skip here. Cross-site request forgery (CSRF) is one of my favourite types of web application vulnerabilities. Not because of its severity – in most cases, finding CSRF in a...