lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Jul 2007 10:03:57 +0100 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: full-disclosure@...ts.grok.org.uk, owasp-leaders@...ts.owasp.org, "WASC Forum" <websecurity@...appsec.org> Subject: The new dawn of filter evasion http://www.gnucitizen.org/blog/the-new-dawn-of-filter-evasion .mario (http://www.gnucitizen.org/about/mario) has posted quite cool overview on filter evasion practices. Here is the excerpt : """This article is about the most important phase when attacking a web application. The phase when the markup has just been broken and the attacker will try to inject his own markup, script code or other data - let's call it the PMBP (post-markup-breaking-phase). This phase is mostly possible to occur when quotes aren't correctly sanitized or when input is placed between two tags. In this article we will set the focus on the first variant - the attribute injection. And we will prove that protecting your markup from being broke is the very most important task in client side security.""" he goes further and dissects the process into the following sections: * Basic filtering * Get it running * Circumvent the ignorance * CSO's nightmare very interesting! -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists