サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
おみそ汁
homakov.blogspot.com
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA. Now let's open it in incognito tab... Wait, annoying CAPTCHA again? But i'm a human! So what Google is trying to sell us as a comprehensive bo
This is a story about 5 Low-Severity bugs I pulled together to create a simple but high severity exploit, giving me access to private repositories on Github. These vulnerabilities were reported privately and fixed in timely fashion. Here is the "timeline" of my emails. More detailed/alternative explanation. A few days ago Github launched a Bounty program which was a good motivator for me to play w
TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies and servers will reject the requests, because Cookie header will be very long. The entire Internet will look down to you. I have no idea if it's a known trick, but I believe it should be fixed. Severity: depends. I checked only with Chrome. We all kno
TL;DR ///host.com is parsed as relative-path URL by server side libraries, but Chrome and Firefox violate RFC and load http://host.com instead, creating open-redirect vulnerability for library-based URL validations. This is WontFix, so don't forget to fix your code. Think as developer. Say, you need to implement /login?next_url=/messages functionality. Some action must verify that the next URL is
TL;DR: In Firefox regexps with 999 998+ groups return false, no matter was the given string valid or not. It seems like a performance optimization, but theoretically can lead to security issues. I believe it should raise an exception instead of fooling the code. Unrelated prehistory: Few weeks ago I was trying to XSS m.facebook.com location.hash validation with a timing attack. (/^#~?!(?:\/?[\w\.
I wrote about this problem in May, without showcases, just a theoretical post http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html It didn't help. Now I want people to take the issue seriously. This is a huge unsolved problem. Developers have a tool which they don't know how to properly use. So they use it how they feel convenient. It leads to security breach. Reminds mass-assig
Is open redirect bad for your website? If we don't take into account "phishing", how can be open redirect dangerous? Mind reading http://homakov.blogspot.com/2013/03/redirecturi-is-achilles-heel-of-oauth.html because any redirect to 3rd party website will leak facebook access_tokens of your users. So innocent open redirect on logout will simply reveal access_token of current user when we set redir
Please don't think about OAuth2 as about the next generation of OAuth1. They are completely different like colors: OAuth1 is the green version, OAuth2 is the red version The biggest OAuth1 provider - Twitter. I bet ($100!) they are not switching to OAuth2 in the near future. Pros and cons: + becoming compatible with the rest of social networks - making authorization flow insecure, like the rest of
I facepalm when I hear about CSRF in popular websites. (I was searching for them in the past but then realized that's a boring waste of time). A while ago our friend Nir published CSRF changing Facebook password and it was the last straw. I can recall at least 5 major CSRF vulnerabilities in Facebook published in last 6 months. This level of web security is inacceptable nonsense for Facebook. Eve
TL;DR We (me and @isciurus) chained several different bugs in Facebook, OAuth2 and Google Chrome to craft an interesting exploit. MalloryPage can obtain your signed_request, code and access token for any client_id you previously authorized on Facebook. The flow is quite complicated so let me explain the bugs we used. 1. in Google Chrome XSS Auditor, leaking document.referrer. 3 weeks ago I wrote d
HN discussion TL;DR If website uses OAuth multi-logins there is an easy way to log into somebody's account, protection is almost never implemented and people don't take into account that OAuth is also used for authentication. OAuth2 is an authorization framework. Apparently it's very popular now. Disregards its popularity a lot of people don't understand it deeply enough to write proper and secure
So I commited in rails/rails repo I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails). Backend didn't whitelist accessible attributes and had something like this: @key = PublicKey.find(params[:id]) @key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victi
Sunday, March 4, 2012 i'm disappoint, github Yes I behaved like a jerk. But why you suspended my account? Oh yea, Terms. But, let's get it real. It is not the way you were supposed to fix things. I, dammit, LOVE YOU P.S. All of you who makes fun of my posts - I'm not an english speaker at all, so please nevermind wrong using of your language. peace Posted by Egor Homakov at 12:09 PM 0 comments:
このページを最初にブックマークしてみませんか?
『Egor Homakov』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く