DRY Fiend (Conjuration/Summoning)

In 1st edition AD&D two character classes had their own private languages: Druids and Thieves. Thus, a character could use the “Thieves’ Cant” to identify peers, bargain, threaten, or otherwise discuss malevolent matters with a degree of safety. (Of course, Magic-Users had that troublesome first level spell comprehend languages, and Assassins of 9th level or […]

Two Hearts That Beat As One

A common theme among injection attacks that manifest within a JavaScript context (e.g. <script> tags) is that proper payloads preserve proper syntax. We’ve belabored the point of this dark art with such dolorous repetition that even Professor Umbridge might approve. We’ve covered the most basic of HTML injection exploits, exploits that need some tweaking to […]

A True XSS That Needs To Be False

It is on occasion necessary to persuade a developer that an HTML injection vuln capitulates to exploitation notwithstanding the presence within of a redirect that conducts the browser away from the exploit’s embodied alert(). Sometimes, parsing an expression takes more effort that breaking it. So, redirect your attention from defeat to the few minutes of […]

B-Sides SF 2013: JavaScript Security & HTML5

I’ve emerged from the gloomy dungeon of C++ and book writing long enough to venture into the gloomy dungeon of the DNA Lounge for B-Sides San Francisco. It’s the perfect venue to talk about the building blocks of web apps: the twin strands of JavaScript and HTML5. As noted at the end of my talk, […]

Know Your JavaScript (Injections)

HTML injection vulnerabilities make a great Voigt-Kampff test for proving you care about security. We need some kind of tool to deal with developers who take refuge in the excuse, “But it’s not exploitable.” Companies like MasterCard and VISA created the PCI standard to make sure web sites care about vulns like XSS. Parts of […]

JavaScript Is Harmless

In the preface to my “Mitigating…” talk I offer this Orwellian summation of the state of JavaScript as it relates to browser security: War is peace. Freedom is slavery. Ignorance is strength. JavaScript is harmless. I then put forth arguments and examples for securing the client from JavaScript-related mishaps by adopting HTML5. The goal, to quote another […]