Stefano Di Paola presented an interesting paper on Flash security at OWASP 2007 which highlights the dangers of HTML being rendered from within Flash via GET querystrings. Of particular note is the non-sanitization of comments (filter evasion by // .jpg) so check it out. XSF: Cross Site Flashing was originally published by Martin Paul Eve at Martin Paul Eve on May 19, 2007.

http://websecurity.com.ua/category/moseb/ MOSEB month of search engine bugs was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

As the title says, heise Security have found a backdoor in the Artmedic CMS system. The interesting question is how this backdoor was implanted - giving the benefit of the doubt it's possible that the development server was compromised and the code injected (the changes date back to the 2nd of May), but on the other hand the developer's not to heise's emails could be indicative of something more sinister.

For those who haven't yet seen this, .mario and christ1an over at sla.ckers has been working on a PHP Intrusion Detection System and the results are fairly promising! The system is based on regular expressions and seems to catch everything I've jammed into it so far.

kishord today presents a tool, called XSS in eXceSS and hosted by .mario that will allow you test attack vectors against a page in different contexts. On top of that it also incorporates PHP IDS, allowing you to skip whichever rules you choose. From kishord's post: Good stuff! XSS in eXceSS: A "learn-XSS tool" was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

Just a quick note to point out this invaluable resource for those interested in XSS attack vectors; rsnake's XSS Cheat Sheet. XSS Cheat Sheet was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.

pdp has an interesting post from last month about amendments to the British Computer Misuse Act that specify the illegality of "making, supplying or obtaining articles for use in computer misuse offences". Time to make a "terms and conditions" for this site. Amendments to the British Computer Misuse Act was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.

ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input: {% highlight html %} {% endhighlight %} Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex.

Admittedly of limited use, here is a JavaScript function I wrote to detect the presence of httpOnly cookies. In Firefox the function will overwrite the real value of the cookie, so before using this function it is vital to try and read the cookie normally! Here is the script embedded in a test PHP page.

Here is a nice tool for encoding JavaScript into eval(String.fromCharCode(x,x,x)) format. A full HTML page is listed here, or you can try it out live at the bottom of this post. {% highlight html %} {% endhighlight %} Encode JavaScript eval String.fromCharCode encoder was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.

Many sites use JavaScript methods to inject a hidden form field into 404 pages to trace the original page that points to the invalid link. An example of this can be found at http://www.yaldex.com/FSPageDetails/_404Referrer.htm. The attentive observer will spot that this method of writing the field injects the HTTP referrer directly into the page without any sanitization. So what?