Quantcast
Channel: WebstersProdigy » Web Hacking
Browsing latest articles
Browse All 12 View Live

Image may be NSFW.
Clik here to view.

BeEf Clickjacking Module and using the REST API to Automate Attacks

I’ve chatted about clickjacking a few times in the past. It’s an attack I think is often overlooked as non-important, and part of the reason people think that is probably because making these attacks...

View Article



Image may be NSFW.
Clik here to view.

ValidateRequest should probably still be Enabled

I noticed this post on reddit a couple weeks back, and it’s called “new .net xss bypass”. I look at .net apps more than anything else right now as part of my day job, so this new bypass is something I...

View Article

Image may be NSFW.
Clik here to view.

Stripping the Referer in a Cross Domain POST request

I recently came across a POST CSRF where the referer had to be from the same origin or be absent completely. Here are the ways I know about to remove the referer. A lot of people might know this sort...

View Article

Image may be NSFW.
Clik here to view.

.NET MVC AntiforgeryToken CSRF Testing

Besides work being busy, I’m heads down ramping up my Blackhat EU talk, which is mostly about CSRF. I promise it’s more interesting than it sounds. I’m saving my favorite pieces for the talk, but...

View Article

Image may be NSFW.
Clik here to view.

Common .NET ViewstateUserKey CSRF Issue

I’ve added the 2013BH tag to all posts related to my recent Blackhat EU talk – more posts are coming, and I’ll post the whole talk and finished whitepaper relatively soon. To understand this post,...

View Article


Image may be NSFW.
Clik here to view.

Qualys validaterequest ‘finding’ is an Annoying PCI Problem

Uh oh. A post about compliance. That means it’s a rant, because I think compliance is dumb. I love parts of the security community, like Defcon/Bsides/CTF/the movie hackers and stuff like that, but I...

View Article

Image may be NSFW.
Clik here to view.

Common OAuth issue you can use to take over accounts

TLDR; This is a post about a CSRF issue in OAuth I found where if a victim visited a malicious site while logged in, they could take over your account. At least stackexchange, woot.com, imdb,...

View Article

Image may be NSFW.
Clik here to view.

Cookie Tossing in the Middle

In the past I’ve talked about one way to get in the middle as an attacker and use Burp as a MiTM proxy. One very nice thing to do in this position is to write cookies. This is a small part of my...

View Article


Image may be NSFW.
Clik here to view.

CSRF tips for dealing with x-frame-options

X-Frame-Options is becoming more and more common. With OAuth, protecting against UI redressing is even in the spec, so just creating a frame to do all your sneaky stuff won’t really work. With some of...

View Article


Image may be NSFW.
Clik here to view.

The Deputies are Still Confused (Full talk and content from Blackhat EU)

I’m finally posting the whole talk and all it’s content. I’ve been posting bits and stuff since March. Here are the slides. There’s embedded media, so download for best results Here are all the...

View Article
Browsing latest articles
Browse All 12 View Live




Latest Images