Enter JavaScript in the box below and press "encode":

GNUCITIZEN has been going on about this for some time now, but the truly devastating impact of what he has been saying only actually hit me today when reading about his JavaScript interface to Johnny's Google Hacking Database. The scenario is as follows. The interface contains NO SERVER SIDE SCRIPTS and no iframes or other such methods for loading offsite data but instead utilises the JSON data format to include remote script files.

ha.ckers are reporting that their book on Cross Site Scripting has finally been released! Buy a copy at Amazon! RSnake + Jeremiah Grossman's Book Released was originally published by Martin Paul Eve at Martin Paul Eve on May 20, 2007.

Stefano Di Paola presented an interesting paper on Flash security at OWASP 2007 which highlights the dangers of HTML being rendered from within Flash via GET querystrings. Of particular note is the non-sanitization of comments (filter evasion by // .jpg) so check it out. XSF: Cross Site Flashing was originally published by Martin Paul Eve at Martin Paul Eve on May 19, 2007.

http://websecurity.com.ua/category/moseb/ MOSEB month of search engine bugs was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

As the title says, heise Security have found a backdoor in the Artmedic CMS system. The interesting question is how this backdoor was implanted - giving the benefit of the doubt it's possible that the development server was compromised and the code injected (the changes date back to the 2nd of May), but on the other hand the developer's not to heise's emails could be indicative of something more sinister.

kishord today presents a tool, called XSS in eXceSS and hosted by .mario that will allow you test attack vectors against a page in different contexts. On top of that it also incorporates PHP IDS, allowing you to skip whichever rules you choose. From kishord's post: Good stuff! XSS in eXceSS: A "learn-XSS tool" was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

Just a quick note to point out this invaluable resource for those interested in XSS attack vectors; rsnake's XSS Cheat Sheet. XSS Cheat Sheet was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

For those who haven't yet seen this, .mario and christ1an over at sla.ckers has been working on a PHP Intrusion Detection System and the results are fairly promising! The system is based on regular expressions and seems to catch everything I've jammed into it so far.

Here is a nice tool for encoding JavaScript into eval(String.fromCharCode(x,x,x)) format. A full HTML page is listed here, or you can try it out live at the bottom of this post. {% highlight html %} Javascript Eval Encoder function encode_to_javascript() { var input = document.getElementById('inputtext').value; var output = 'eval(String.fromCharCode('; for(pos = 0; pos < input.length;

pdp has an interesting post from last month about amendments to the British Computer Misuse Act that specify the illegality of "making, supplying or obtaining articles for use in computer misuse offences". Time to make a "terms and conditions" for this site. Amendments to the British Computer Misuse Act was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.