Finding 0day in something major is the awesome. Waiting for the vendor is the suck.

In octal of course!

var x = 010;
alert(x); //displays 8

In JavaScript, Numeric Literals with leading 0's are treated as octal literals, unless the prefix is 0x, in which case its hex.

Also, you are missing the other part of Jikto, which is the command console - which was basically exactly the same as Jeremiah's code (it might have even been the exact same - I'm not sure without looking at it).

I've heard some silly claims before, but wow. I get my chops busted for Jikto, and then get my chops busted again because someone thinks I'm doing it with someone else's backend code?

What's annoying about this is the way I'm guilty until proven innocent. A command console thats "basically exactly the same" and "might have even been the exact same?" Nevermind the fact that the Jikto webcast clearly shows how the captured data is shipped to the collecting web server web server and in addition to this video these screen shots show this data is displayed in a UI. So if by "exactly the same" you mean captures data and outputs it then yes they are the same. By this logic it is "basically exactly" the same as a telegraph too.

The webcast and all this info was publicly posted over two weeks before this silly claim was made. That really leaves me at a lost. I certainly hope this is a misunderstanding and that RSnake isn't trying to knock down someone who just happens to work at a company who competes with his friend.

Of course, HP bought SPI and HP apparently competes with everyone. That's right Berners-Lee, it's go-time!

Yep, I stole that too.

Found a copy of Jose Nazario CanSecWest presentation where he talks about detecting JavaScript malware. Actually, he is talking about how to manually reverse engineer JavaScript encoders that drop traditional sploits.

Interesting, but too primitive to turn into an automated process to stop the JavaScript malware John and I are talking about at BlackHat.

csw07-nazario.pdf (application/pdf Object)

I did a Google search for an ASCII chart this morning and came up with this link. I thought it looked familiar. Looking at the bottom of the image confirmed it. This is the ASCII chart printed in the back of the manual for my first computer, the Leading Edge Model D!

As you all know, I got into computers rather late in the game. I had used computers before, but my older brother Jason was the computer nerd. I knew enough to start the machine with the right bootdisk to play Doom or X-Wing (ahhh the days of hand tuning config.sys). He left for college in the summer of 1996, the computer broke, and I had to learn how to fix it. There was a 486DX2-66 in the basement that my mom still used, so I didn't have free rein on that system. Instead, one of my best friends Chris Brown gave me his old computer when his family upgraded. It was a dual floppy Leading Edge Model D. I set it up in my bedroom between Freshmen and Sophomore year and hacked on it every night. This is the computer I learned so much of my early computer knowledge. I remember doing things like:

-Using DEBUG to write assembly
-Learning about screen buffers
-Writing to the keyboard buffer to make programs that couldn't be killed.
-Learning graphics programming for a Hercules video card (720x348 baby!)
-Writing a phone call logger that opened the 2400 baud modem (OPEN "COM1" in Qbasic) and listened for the ATA "RING" commands.

I later upgraded it to an MFM hard drive and a CGA monitor. I hacked on that machine every night for almost 2 years. I spent my days sleeping through class or programming on my TI-85.

And I loved every minute of it.

Back in the Day!

Critics like to point out it is difficult for web scanners to know when an entire RIA has been crawled. After all, certain actions might expose more functionality, which exposes more and more. Certain functionality (like a spell checker) might not get invoked unless there are mispelled words.

RIA are full blown applications. You don't "crawl" Microsoft Word do you? You don't "crawl" Visual Studio? Web security researchers need to remember that other industries confront the same problems we do. Automated GUI testing suites have existed for years and some of the research is very interesting and highly applicable. I have no numbers, but I'd bet dollars to doughnuts that market is a little bigger than the webappsec.

Talking about how difficult a problem is doesn't help anyone. Trying to solve it, even if you fail, helps everyone. I learned that in college at a lecture by Dr Cook, one of the definitive sources on the Traveling Salesmen Problem.

On June 4 I posted an MD5 checksum 98a358d372c87da29509a44cc3ec387f

acidus@hatter:~$ cat purchase.txt
SPI will be purchased by HP in June or July
acidus@hatter:~$ md5
md5               md5sum            md5sum.textutils
acidus@hatter:~$ md5sum purchase.txt
98a358d372c87da29509a44cc3ec387f  purchase.txt
acidus@hatter:~$

Sure enough: HP buys SPI.

Awesome. Pink is the new black! An anonymous blog where someone drops major XSS 0day and isn't pimping a product or consulting? Sweet. No offense to my big pimpin web security buddies, but honestly, we (myself included) are all XSS sluts. We could be more like RFP, who doesn't trade on his handle. This guy/gal is giving it away truly for free, which I supposed makes them an XSS whore. Hmmm. Well whatever floats your boat.

Given how painful a "cross-site scripting" attack can be, its acronym should have been "ASS" instead of "XSS". Yet the developers behind the web applications you use every day often do not know what they are or do not care.

Why don’t web sites care enough? Because on the surface these vulnerabilities do not jeopardize the security of the entire company and such hacks are not as glamorous as high-profile break-ins where millions of social security numbers are stolen. But in reality, an XSS defect can be just as devastating to a site’s user base and extremely traumatic to any single user whose identity and privacy are violated.

XSS 0day and brutal analysis? What more could I ask for? I agree with everything said here.

Show me Pink! (thats right, I said it) - XSS 0day for Yahoo.

I have consumed a massive amount of Red Bull in the last 2 weeks in a run up to finishing the manuscript for my Ajax Security book. We are talking on average 2-3 a day, with an occasional day of 4. Once there was a day of 5. Just once, and *never* again. At some point you can't really call them "days" anymore. A day is simply a convenient unit of 24 hours that may or may not start at 12:00am.

There is an elusive euphoria stage of Red Bull consumption where you are unbelievably productive and yet task that seemly take hours take only about 27 minutes or so. That was the odd thing. It always seemed 27 minutes later. I like to call this stage "Fry-Time" in reference to that Futurama episode where Fry drinks 100 cups of coffee and time slows to a crawl. Fry-Time occurs only in a narrow band on the line between total exhaustion and caffeine-induced heart attack and is a difficult stage to reach. I've hit Fry-Time maybe 3-4 times ever. 2 of those times have happened in the last 2 weeks.

Then, there is the "attention deficient disordering" stage. This stage occurs beyond Fry-Time and before the caffeine-induced heart attack phase. In this phase, you want to be productive. You are aware of all the work you need to accomplish as well as its importance. You feel motivated and excited about all your projects. In fact, it feels like you are in the Fry-Time stage. But you aren't. You are ADDing. Because as soon as you try to do something. You can't. Halfway through your brain jumps to thinking about another task and you stall. Its like OS scheduler that has so many jobs to do it spends all it time context switching instead of actually making any progress on any of them. This is an extremely frustrating phase because you know what's happening. And the very act of noticing that you are being scattered brained brings to mind all the tasks you still need to do which makes you think about how cool some of them are and suddenly you aren't doing any more work on whatever it was you were working on. You've context switched to another job.

The only thing to do in the ADD stage is wait it out and try to be productive later. The only problem is when you are in the ADD phase you have had so much Red Bull you can't sleep! So you are wide awake, too hyped to do anything, knowing you have shit to do, and losing time that you could be sleeping.

This is exactly what happened to me around 4:00am this morning. On an upside, I got through about 60 pages of Guns, Germs, and Steel. Elonka's cousin sure can write!

In his speech, Jobs announced that the iPhone will be able to run Web 2.0 applications that look just like the iPhone's built-in apps but are created by third-party developers. As the iPhone will have a full-fledged version of Apple's Safari Web browser, developers can build their applications with Ajax and other Web technologies.

Ok, I'm not sure what this means exactly (and granted this is 2 steps removed from the source). Its a browser with a JavaScript interpreter. Of course it can run Ajax apps. I wonder if this referes to Adobe's Apollo apps which can run external of a browser.

"I'm underwhelmed," said Avi Greengart, an analyst with industry research firm Current Analysis. Many developers, he said, "were expecting to be able to write apps and run them in a browser anyway."

Yeah, nothing new here.

He pointed out that, although Jobs said that the Web 2.0 apps will run in a sandbox, they still will be able to reach beyond the sandbox to access key functions, such as phone calls

... ... SWEET! Now Samy can let you know he is your new hero by calling you. On your Phone. Thousands of times a second. From JavaScript.

This makes John Terrill's curse "I'm going to XSS your FACE!" that much closer to reality.

iPhone + XSS = All your cell networks are belong to Acidus