.mario📎 on Twitter: "@0x6D6172696F My favorite part so far is <a href="..." type="text/html"> actually doing type hints that enable XSS in impossible situations."@0x6D6172696F My favorite part so far is <a href="..." type="text/html"> actually doing type hints that enable XSS in impossible situations.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-application XSS The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks The document discusses JavaScript MVC and templating frameworks and security issues found during penetration testing. Several frameworks were found to execute arbitrary JavaScript from markup in dangerous ways due to overuse of eval-like functions and lack of separation between code and content. This could lead to bypassing of
Scriptless Attacks – Stealing the Pie Without Touching the Sill
Scriptless Attacks – Stealing the Pie Without Touching the Sill Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany {firstname.lastname}@rub.de ABSTRACT Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the sa
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill - The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features. - It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive informa
The innerHTML Apocalypse
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and ap
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
[PDF]ECMAScript 6 for Penetration Testers
prompt.ml
[PDF] mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
.mario📎 on Twitter: "<p style="font-family:',;a\\22\\3e\\3cimg\\20src\\3dx\\20onerror\\3d\\61lert\\28\\31\\29\\3e:1'"> < my favorite mXSS vector"
[PDF]Scriptless Attacks – Stealing the Pie Without Touching the Sill