XSSing
Browser Diligency
A recent study has shown that 83.3% of firefox users are running the latest version, whilst only 47.6% of IE users are running the latest patched version. The report suggested that legacy entrprise applications maybe to blame. Some legacy software don’t allow software updates. But I’d throw in that firefox can download and install the [...]
Scripts in ASF files
A classic trick is to embed a script or text in a file with different extension. For example, saving a text file as jpg. When the browser comes to look it, it will likely try to resolve it as jpg. But there is a plethora of extensions out there. Some extensions activate applications (e.g. acrobat, [...]
Take XSS to the bank
Looks like HSBC has a number of scripting flaws.
Security sites and XSS
You should always practice what you preach and the giants are not doing that all… Check out xssed! Versign, McAfee and Symantec have been found to be vulnerable according to the register.
McAfee do not appear to be handling XSS very well as their ‘hacker safe’ certification does not cover all XSS according to [...]
1-step, 2-step XSS! (Part II)
I neglected to mention in the original post what the implications of two-step XSS there are.
The behaviour of some website to put in viewstate and cookies may well be used to fight CSRF. If that’s the case, it may be possible to inject malformed strings into the viewstate by forcing errors. So you may well [...]
