lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Jul 2007 10:03:57 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, owasp-leaders@...ts.owasp.org, 
	"WASC Forum" <websecurity@...appsec.org>
Subject: The new dawn of filter evasion

http://www.gnucitizen.org/blog/the-new-dawn-of-filter-evasion

.mario (http://www.gnucitizen.org/about/mario) has posted quite cool
overview on filter evasion practices. Here is the excerpt :

"""This article is about the most important phase when attacking a web
application. The phase when the markup has just been broken and the
attacker will try to inject his own markup, script code or other data
- let's call it the PMBP (post-markup-breaking-phase). This phase is
mostly possible to occur when quotes aren't correctly sanitized or
when input is placed between two tags. In this article we will set the
focus on the first variant - the attribute injection. And we will
prove that protecting your markup from being broke is the very most
important task in client side security."""

he goes further and dissects the process into the following sections:

* Basic filtering
* Get it running
* Circumvent the ignorance
* CSO's nightmare

very interesting!

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists