Archive for April, 2007

Input Validation Cheat Sheet Released

April 12th, 2007 * Comments(0)

I hope the Input Validation Cheat Sheet can be used to aid web developers to test their web applications with emphasis on manual enumeration of common and basic security issues facing web applications today.

The idea is to have a quick resource to play with; if a security issue is found you can call for help.

After finding the SQL Injection Cheat sheet useful, I decided to also release an Input Validation Cheat sheet. As usual feedback and contributions welcome.

Wireless Penetration Testing Mindmap

April 10th, 2007 * Comments(0)

The guys at WirelessDefense have put together an awesome wireless penetration testing mindmap. Very nicely done:

Full details can be obtained from the WirelessDefense.org website.

Bypassing ASP.NET XSS Filters

April 10th, 2007 * Comments(6)

pagvac from ProCheckUp released an advisory on how to bypass ASP.NET XSS validation.

This attack is only possible with Internet Explorer users as it exploits the old IE CSS comment hack; a very creative find indeed from the guys at ProCheckUp.

Proof of Concept:

Alert box injection - simply provided for testing purposes
(may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression
(alert('XSS'))>

ASP.NET will also escape double quotes("), so although a number .NET servers are vulnerable to this, it is somewhat mitigated by this fact.

ASP Auditor (with a little mod) could be used to test if your web server(s) are vulnerable. Let me know if your interested. I hope to add this check to the tool shortly.

Firebug XSS Mayhem

April 05th, 2007 * Comments(0)


Firebug is a very powerful JavaScript debugger for Firefox … it has tons of useful features like a dynamic console, DOM tree explorer, CSS viewer/editor … [and much more].

Firebug was exploited by pdp yesterday. Read more »

« Previous Page

Recent