Archive for October, 2006

The GIF-Bug is still alive

Comments Published October 26th, 2006 in security

Long time ago I found an interesting vulnerability in the Microsoft Internet Explorer 6 in which it was possible to execute javascript which was included in an image. The following is the the timeline of it:
07/15/05 Sven Vetsch detects the flaw
07/31/05 Sven Vetschs informs Microsoft
08/08/05 Semi-automated response by Microsoft
09/19/05 Proof-of-concept published at computec.ch
09/19/05 Full article [...]

Attacking netvibes.com

Comments Published October 26th, 2006 in security

After I read the blog post of RSnake in which he shows an XSS at netvibes.com I also thought that I should have a look at this webservice. First I have to say that the guys there have done a great job, this service really shows what the mysterious Web 2.0 is. On the other [...]

How to bypass Mozilla Firefox 2.0 Phishing-Filter

Comments Published October 24th, 2006 in security

I’m using Mozilla Firefox now for a long time and so I’m happy to have version 2.0 since today.
But of course in my profession and hobby as a security guy, the first thing I did was to test the new security features. One of these is the Phishing-Filter and here’s my workaround
Option 1:
The [...]

XSS vulnerability scanner

Comments Published October 21st, 2006 in security

As I wrote in one of my last postings, here’s the posting for my XSS vulnerability scanner I presented at 0sec.
What is it and what can you do with it?
As the name says, it’s a XSS vulnerability scanner. I wrote it during my research in the topic of XSS and as a part of my [...]

Attacking PDAs with XSS

Comments Published October 18th, 2006 in security

After my talk at 0sec I had an interesting short conversation with Roberto from Zone-H about attacking PDAs and especially smartphones trough XSS. Now here are some ideas I had about it. Because this are only ideas, I don’t know if it’s really possible to lunch such kind of attack at all
An idea [...]

Talk at 0sec

Comments Published October 17th, 2006 in personal, security

Last weekend (13. – 15. October 2006) I had a talk at a small security conference in Switzerland called 0sec where the organizer was my employer the Dreamlab Technologies Ltd.
My talk was named “The Future of XSS” and I think I’ve done my part there well, especially if I think about the fact that this [...]

Blog goes online

Comments Published October 17th, 2006 in personal

Long time ago I set up my old website and since a while I never put something new on it. The only thing I did from time to time was to write one or two sentences in form of a news post. Because of this I decided to set up a blog.
Now it’s possible to:

setting [...]