Musings on Information Security - Luxembourg / A blog by Thierry Zoller.: Cross site scripting filter evasion - OWASP

skip to main | skip to sidebar

_ Where facts are few, experts are many

Home
Menu
TZO Daily Security News
Contact
- Mail
Subscribe to Feed

Cross site scripting filter evasion - OWASP

| 0 comments ]

My colleague Alexios gave a talk about evading XSS filters at the recent OWASP conference, what strikes me is the multitude of ways you can do it. I am sure you find something you didn't know when watching it :

0 comments

Post a Comment

Newer Post Older Post Home

About Me

Thierry Zoller: Welcome to my personal Blog where I blog about Information Security and in general anything I regard as newsworthy.

Quick-links
▪ About me / Profile
▪ Tools / Talks / Whitepapers
▪ My vulnerability disclosure policy
▪ Subsribe to RSS Feed
▪ Contact Me

The views and opinions expressed on this blog are my personal views and are not intended to reflect the views of my employer or any other entity.

View my complete profile

Follow @thierryzoller

Follow by Email

Subscribe to RSS

Subscribe to Musings on Information Security

Cluster Map

Popular Posts

IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass [Final]

Table of Contents Updates Bulletins Am I at risk ? Tools Technical details 0.1 Personal message Several news stories seem to allu...
The BEAST summary - TLS, CBC, Countermeasures (Update 4)

Lots of good information floating on the internet on the Proof of Concept (dubbed 'BEAST) against TLS 1.0 by Juliano Rizzo and Thai Du...
Storing password securely - hashses, salts and bit stretching put into context

Introduction Due to the latest row of high profile websites being compromised and parts of the password hashes being published h...
What you need to know about the vulnerabilities in MSCHAPv2

A post within the "straight to the meat" category : There was a talk at Defcon 20 entitled " Defeating PPTP VPNs and WPA2 ...
Tools, Whitepapers, Talks

Talks / Lectures During my career I had the opportunity to present my thoughts and views on Information Security to numerous people and or...

Recent Comments

Powered by Disqus

Blogs I read

Securosis Highlights

Endpoint Advanced Protection: The Endpoint Protection Lifecycle - As we get back to our Endpoint Advanced Protection series, let’s dig into the *lifecycle* we alluded to at the end of the intro post. We laid out a prett...
3 hours ago
Schneier on Security

Malware Tries to Detect Test Environment - A new malware tries to detect if it's running in a virtual machine or sandboxed test environment by looking for signs of normal use and not executing if th...
10 hours ago
Didier Stevens

decoder-search.py Beta - I’ve been developing a new Python program similar to XORSearch. decoder-search.py does brute-forcing and searching of a file like XORSearch, but it stead o...
22 hours ago
Krebs on Security

Inside Arizona’s Pump Skimmer Scourge - Crooks who deploy skimming devices made to steal payment card details from fuel station pumps don't just target filling stations at random: They tend to fo...
1 day ago
LuxLegal

La réforme des allocations familiales : une nouvelle atteinte aux droits des familles recomposées ? - Alors que la Cour de Justice de l’Union Européenne est toujours saisie de litiges concernant des enfants étudiants issus de familles recomposées s’étant vu...
1 day ago
VRT

Threat Spotlight: GozNym - *This blog was authored by Ben Baker, Edmund Brumaghin and Jonah Samost.* Executive Summary GozNym is the combination of features from two previously identi...
1 day ago
Troy Hunt

7 years of blogging and a lifetime later... - Exactly 7 years ago today, I wrote my first blog post titled Why online identities are smart career moves. That's a pretty self-explanatory title and I w...
2 days ago
The New School of Information Security

You say noise, I say data - There is a frequent claim that stock markets are somehow irrational and unable to properly value the impact of cyber incidents in pricing. (That’s not usua...
1 week ago
Arne Swinnen's Security Blog - Just Another Infosec Blog

How My Rogue Android App Could Monitor & Brute-force Your App’s Sensitive Metadata - TL;DR: A rogue Android app could read any other App’s file metadata: filename, size, last modification date. If a filename contained sensitive predictable ...
2 weeks ago
Privacy Law Blog

Tales from the (Quantum) Crypt - Adam Waks The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satell...
4 weeks ago
contagio

Linux.Agent malware sample - data stealer - *Research: SentinelOne, Tim Strazzere Hiding in plain sight?* Sample credit: Tim Strazzere List of files 9f7ead4a7e9412225be540c30e04bf98dbd69f62b891087...
5 weeks ago
Lenny Zeltser on Information Security

Misleading Trademark Registration Invoices and Scams - Miscreants are attracted to law-skirting schemes that generate strong revenues without significant ongoing investments. You can observe these characteristi...
5 weeks ago
CrySyS Blog

!SpamAndHex at the 24th DEFCON CTF Finals - Yes, we did it again. We played against the best teams in the world at the 24th DEFCON CTF Finals in Las Vegas. However, it was not as easy as it seems t...
5 weeks ago
Carnal0wnage & Attack Research Blog

Exporting workspaces from your MSF database - Quick and dirty hack to export all your findings/host/services/etc and creds from your metasploit database Normally you'd do this with a: workspace mywork...
1 month ago
/dev/ttyS0

Defcon 24: Blinded By The Light - I won’t be at Defcon this year in body, but I’ll be there in spirit! I got to design the hardware used in @tb69rr’s and @bjt2n3904‘s Defcon talk, Blinded B...
1 month ago
Claude Adam

Méisproochegkeet zu Lëtzebuerg - Lëtzebuerg ass e Raum vu geliefter Méisproochegkeet. Eis Sproochesituatioun ass an hirer Komplexitéit kaum ze iwwertreffen: dräi Sproochen, déi gläichzäite...
2 months ago
TaoSecurity

Updated PhD Thesis Title - Yesterday I posted Latest PhD Thesis Title and Abstract. One of my colleagues Ben Buchanan subsequently contacted me via Twitter and we exchanged a few me...
3 months ago
newsoft's fun blog

Le gâchis - Enfin ! Après 4 ans de travail et 5M€ de financement public, le projet d’antivirus « souverain » vient d’être publié sur GitHub. Initialement connu sous le...
3 months ago
A Few Thoughts on Cryptographic Engineering

What is Differential Privacy? - Yesterday at the WWDC keynote, Apple announced a series of new security and privacy features, including one feature that’s drawn a bit of attention — and c...
3 months ago
Uncommon Sense Security

Bad analogy, bad. No biscuit. - If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop. Bad ...
3 months ago
Secure Belief

VulnHub Stapler 1 Solution 2 - You can find Solution 1 here. After spending a night on this, I finally managed to solve the 2nd way to get limited shell on this box. Let's see how this ...
3 months ago
Fun Over IP

McAfee SiteList.xml password decryption - Recently, a very good friend of mine (@Sn0rkY) pointed me out the story of a pentester who recovered the encrypted passwords from a McAfee SiteList.xml fil...
7 months ago
GreyHatHacker.NET

Spraying the heap in seconds using ActiveX controls in Microsoft Office - Recently I’ve been researching into ActiveX controls in Office documents as I had some ideas I wanted to test out after reading Dominic Wang’s paper “Under...
9 months ago
Chatter on the Wire: How excessive network traffic gives away too much!

Satori rewrite - Ok, for years I've been planning on rewriting Satori in python (or something else) and never have gotten around to it. Well 2 weeks ago I started playing ...
10 months ago
Security

vsftpd-3.0.3 released... and the horrors of FTP over SSL - I just released vsftpd-3.0.3, as noted on the vsftpd home page. It's actually been almost three years(!) since vsftpd-3.0.2, so things do seem to be gettin...
1 year ago
Cup of Security

Tips That Will Help You Become An Intelligent Investor - Have you considered any investing strategies? If you don't, know you are not the only one. Lots of people have limited knowledge regarding investments. Her...
1 year ago
Scrammed!

A WinDbg extension to print the kernel memory layout - WinDbg is an awesome debugger, but I always missed the nice, compact and tidy view of the process memory layout that you have in OllyDbg (in *View->Memory*...
1 year ago
root labs rdist

Was the past better than now? - Here we go again — another article arguing whether the past was better or not (this one says “better”). These articles are tiresome, rehashing the debate w...
1 year ago
mossmann's blog

Learning SDR - I recently launched Software Defined Radio with HackRF, an instructional video series that I hope will make it easier than ever for people to learn the bas...
2 years ago
Java security and related topics

USENIX Security Symposium Slides - We're very happy to present the paper Revisiting SSL/TLS Implementations - New Bleichenbacher Side Channels and Attacks by Christopher Meyer, Juraj Somo...
2 years ago
The iSecLab Blog [by Faculty and Students];

New Insights into Email Spam Operations - Our group has been studying spamming botnets for a while, and our efforts in developing mitigation techniques and taking down botnets have contributed in d...
2 years ago
Amrit Williams Blog

RSA Announces End of RSA Security Conference - Aims to bring clarity to cloudy marketing messages through exhibit hall chotskies Bedford, MA., – April 1, 2014 – RSA, the security division of EMC, today ...
2 years ago
ax330d's blog

Samsung Galaxy S5 could be cheaper than Galaxy S4 - Good news for would-be Samsung Galaxy S5 customers - the main smartphone may end up being more economical as opposed to Galaxy S4 was when it established. ...
2 years ago
Cognitive Dissidents

Why I _am_ Speaking At RSA 2014 - There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the N...
2 years ago
Ma petite parcelle d'Internet...

Router backdoor reloaded... - S i vous avez aimé l'histoire de la backdoor D-Link, vous allez A-DO-RER celle-ci. C'est encore sur /dev/ttyS0 que ça se passe, où on apprend que les route...
2 years ago
Androguard

One year after, end of Magnificent 7 project ! - It has been a year already since the start of the Magnificient 7 program ! So what happened during this year ? We added some features to enhance your analy...
3 years ago
Digital Forensics is a Science

Mobile Device Forensics - Course Update - It's been a few weeks since the last update, but things have been busy. The Fall 2012 term is now in Week 5 (wow, the semester is flying by). We've covered...
4 years ago
Nynaeve

NWScript JIT engine: Wrap-up (for now) - Yesterday, I provided a brief performance overview of the MSIL JIT backend versus my implementation of an interpretive VM for various workloads. Today, I’l...
6 years ago
IBM Internet Security Systems Frequency X Blog

-
CryptoLUX - Recent changes [en]

-
rmhrisk.wpengine.com/

-
Metasploit

-
woanware

-
...And You Will Know me by the Trail of Bits

-

Show 10 Show All

Blog Archive

► 2013 (4)
- ► July (1)
- ► June (1)
- ► March (2)

► 2012 (11)
- ► November (1)
- ► August (2)
- ► July (1)
- ► June (4)
- ► May (2)
- ► March (1)

► 2011 (10)
- ► December (3)
- ► November (1)
- ► October (2)
- ► September (2)
- ► August (2)

► 2010 (6)
- ► August (1)
- ► July (1)
- ► March (2)
- ► February (2)

► 2009 (80)
- ► November (2)
- ► October (1)
- ► September (3)
- ► July (3)
- ► June (2)
- ► May (22)
- ► April (16)
- ► March (17)
- ► February (7)
- ► January (7)

▼ 2008 (31)
- ► December (2)
- ► November (7)
- ▼ October (7)
- ► September (3)
- ► August (12)

► 2007 (7)
- ► October (1)
- ► May (1)
- ► April (2)
- ► March (1)
- ► February (1)
- ► January (1)

► 2006 (6)
- ► December (1)
- ► August (2)
- ► March (1)
- ► February (1)
- ► January (1)

► 2005 (9)
- ► October (1)
- ► April (7)
- ► January (1)

► 2000 (1)
- ► March (1)

Contact Form

Name

Email *

Message *

Links

Schneier on Security
Brian Krebs on Security
Lenny Zeltser
Malware LU
CryptoLux
Unmitigated Risk
TaoSecurity - Bejtlich
root labs rdist
Securosis Blog
Trail of Bits
Sid's Blog [FR]
Fun over IP
Hack.lu
Joe Sandbox
SVEN

Labels

0day (7)
Advisory (53)
Bluetooth (3)
BTcrack (5)
Hardware hacking (1)
How-to (7)
Interesting Reads (6)
Lectures (2)
Misc (10)
Omron 3S4YR-MVFW Card reader (3)
Rants from Thierry (20)
Tool (17)
Vulnerabilties (11)
Whitepaper (3)

Copyright Musings on Information Security - Luxembourg / A blog by Thierry Zoller. Template by Michael Jubel