GitHub - Metnew/uxss-db: 🔪Browser logic vulnerabilities :skull_and_crossbones:You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client
Masato Kinugawa Security Blog: 各ブラウザがサポートするcharsetのリスト
メジャーブラウザがサポートするcharsetのリストを個人的に調べてまとめたので公開します。 正式名とエイリアスのリスト http://l0.cm/encodings/list/ 表にしたもの http://l0.cm/encodings/table/ charsetの発見は以下のようにして行いました。 1. charsetとして認識してくれそうな文字列をウェブからかき集める。 2. Content-Typeヘッダのcharsetの値に、集めた文字列から1つ選んで指定し、bobyには、<meta charset="iso-2022-jp">を含んだページを作る。 3. 2で作ったページをフレームに読み込み、親フレームからJavaScriptでフレームに設定されたcharsetの値を読み取る。 4. 取得されたcharsetの値により以下のAかBの判断/処理をする。 A. iso-2022-
Shazzer - Shared Fuzzer
Shazzer - Shared online fuzzing What is Shazzer? Shazzer is an online fuzzing tool, to store and collect fuzzing data. It allows you to create fuzz vectors to share with your friends and work colleagues and collate the results. You can use multiple clients and different browsers to perform tests and have all the information in one place without having to do the same test again. Login
Browser's implied globals
Like it's not bad enough that JavaScript has implied globals (forget var and you create a global), but the browsers have decided it's a good idea to add more pollution to the global namespace. This has been a source of frustration before with IE, it's really hard to understand the logic behind it, but it's also happening in other browsers. Consider this:
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Erlend Oftedal on Twitter: "@0x6D6172696F @johnwilander @fhemberger Has @randomdross tool from AppSecEU been released yet? http://t.co/XkIvw5HQSH"
[PDF] The Web IS Vulnerable: XSS Defense on the BattleFront
[PDF]Got your Nose! How to Steal Your Precious Data Without Using Scripts by Mario Heiderich
Shazzer - Shared Fuzzer
Shazzer - Shared Fuzzer
http://sla.ckers.org/forum/read.php?24,35534,35534
[pdf]Flirting with MIME Types: A BROWSER’S PERSPECTIVE![[pdf]Flirting with MIME Types: A BROWSER’S PERSPECTIVE](https://cdn-ak-scissors.b.st-hatena.com/image/square/6ff18e8acfc3de003e26360654f934fe90394516/height=288;version=1;width=512/http%3A%2F%2Fstatic1.squarespace.com%2Fstatic%2F6128b1eb2eb2cf15b7a35a2f%2Ft%2F65b5ceb01878582ed1a96ae8%2F1706413745042%2FLSG_social_stacked_logo_square.png%3Fformat%3D1500w){kind=logo}
Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves Adam Barth UC Berkeley Juan Caballero UC Berkeley and CMU Dawn Song UC Berkeley Abstract Cross-site scripting defenses often focus on HTML documents, neglecting att
【老品牌】信誉平台
WWW2007