Today I finally got the memo about the joy that is Generic Handlers in ASP.NET. These things are a great way to emulate PHP-style webservices and Ajax callbacks.

Literals are a pain to tokenize, especially when the literal can start with a valid math operator. I'm looking at you JavaScript Regex Literal and signed integer literals! You broke my code.

var x = /123/;
var y =5 /2;
z(5,+54.1, -13);

This is where you can blur the line between what the tokenizer should do and what the parser does. Going the wrong way makes things bad. Like, crashing bad.

Finding 0day in something major is the awesome. Waiting for the vendor is the suck.

In octal of course!

var x = 010;
alert(x); //displays 8

In JavaScript, Numeric Literals with leading 0's are treated as octal literals, unless the prefix is 0x, in which case its hex.

Also, you are missing the other part of Jikto, which is the command console - which was basically exactly the same as Jeremiah's code (it might have even been the exact same - I'm not sure without looking at it).

I've heard some silly claims before, but wow. I get my chops busted for Jikto, and then get my chops busted again because someone thinks I'm doing it with someone else's backend code?

What's annoying about this is the way I'm guilty until proven innocent. A command console thats "basically exactly the same" and "might have even been the exact same?" Nevermind the fact that the Jikto webcast clearly shows how the captured data is shipped to the collecting web server web server and in addition to this video these screen shots show this data is displayed in a UI. So if by "exactly the same" you mean captures data and outputs it then yes they are the same. By this logic it is "basically exactly" the same as a telegraph too.

The webcast and all this info was publicly posted over two weeks before this silly claim was made. That really leaves me at a lost. I certainly hope this is a misunderstanding and that RSnake isn't trying to knock down someone who just happens to work at a company who competes with his friend.

Of course, HP bought SPI and HP apparently competes with everyone. That's right Berners-Lee, it's go-time!

Yep, I stole that too.

Found a copy of Jose Nazario CanSecWest presentation where he talks about detecting JavaScript malware. Actually, he is talking about how to manually reverse engineer JavaScript encoders that drop traditional sploits.

Interesting, but too primitive to turn into an automated process to stop the JavaScript malware John and I are talking about at BlackHat.

csw07-nazario.pdf (application/pdf Object)

I did a Google search for an ASCII chart this morning and came up with this link. I thought it looked familiar. Looking at the bottom of the image confirmed it. This is the ASCII chart printed in the back of the manual for my first computer, the Leading Edge Model D!

As you all know, I got into computers rather late in the game. I had used computers before, but my older brother Jason was the computer nerd. I knew enough to start the machine with the right bootdisk to play Doom or X-Wing (ahhh the days of hand tuning config.sys). He left for college in the summer of 1996, the computer broke, and I had to learn how to fix it. There was a 486DX2-66 in the basement that my mom still used, so I didn't have free rein on that system. Instead, one of my best friends Chris Brown gave me his old computer when his family upgraded. It was a dual floppy Leading Edge Model D. I set it up in my bedroom between Freshmen and Sophomore year and hacked on it every night. This is the computer I learned so much of my early computer knowledge. I remember doing things like:

-Using DEBUG to write assembly
-Learning about screen buffers
-Writing to the keyboard buffer to make programs that couldn't be killed.
-Learning graphics programming for a Hercules video card (720x348 baby!)
-Writing a phone call logger that opened the 2400 baud modem (OPEN "COM1" in Qbasic) and listened for the ATA "RING" commands.

I later upgraded it to an MFM hard drive and a CGA monitor. I hacked on that machine every night for almost 2 years. I spent my days sleeping through class or programming on my TI-85.

And I loved every minute of it.

Back in the Day!

Critics like to point out it is difficult for web scanners to know when an entire RIA has been crawled. After all, certain actions might expose more functionality, which exposes more and more. Certain functionality (like a spell checker) might not get invoked unless there are mispelled words.

RIA are full blown applications. You don't "crawl" Microsoft Word do you? You don't "crawl" Visual Studio? Web security researchers need to remember that other industries confront the same problems we do. Automated GUI testing suites have existed for years and some of the research is very interesting and highly applicable. I have no numbers, but I'd bet dollars to doughnuts that market is a little bigger than the webappsec.

Talking about how difficult a problem is doesn't help anyone. Trying to solve it, even if you fail, helps everyone. I learned that in college at a lecture by Dr Cook, one of the definitive sources on the Traveling Salesmen Problem.

On June 4 I posted an MD5 checksum 98a358d372c87da29509a44cc3ec387f

acidus@hatter:~$ cat purchase.txt
SPI will be purchased by HP in June or July
acidus@hatter:~$ md5
md5               md5sum            md5sum.textutils
acidus@hatter:~$ md5sum purchase.txt
98a358d372c87da29509a44cc3ec387f  purchase.txt
acidus@hatter:~$

Sure enough: HP buys SPI.

Awesome. Pink is the new black! An anonymous blog where someone drops major XSS 0day and isn't pimping a product or consulting? Sweet. No offense to my big pimpin web security buddies, but honestly, we (myself included) are all XSS sluts. We could be more like RFP, who doesn't trade on his handle. This guy/gal is giving it away truly for free, which I supposed makes them an XSS whore. Hmmm. Well whatever floats your boat.

Given how painful a "cross-site scripting" attack can be, its acronym should have been "ASS" instead of "XSS". Yet the developers behind the web applications you use every day often do not know what they are or do not care.

Why don’t web sites care enough? Because on the surface these vulnerabilities do not jeopardize the security of the entire company and such hacks are not as glamorous as high-profile break-ins where millions of social security numbers are stolen. But in reality, an XSS defect can be just as devastating to a site’s user base and extremely traumatic to any single user whose identity and privacy are violated.

XSS 0day and brutal analysis? What more could I ask for? I agree with everything said here.

Show me Pink! (thats right, I said it) - XSS 0day for Yahoo.