[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
- From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
- Date: Thu, 27 Jul 2006 14:57:59 -0500
Well that was interesting timing.
Nice js/scanner PoC, SPI Labs.
You might want to mention properly encoding output for the
specified user agent in your paper under the "Recommendations"
section. Input validation by itself is so 2001.
-ae
> -----Original Message-----
> From: Billy Hoffman [mailto:Billy.Hoffman@xxxxxxxxxxxxxxx]
> Sent: Thursday, July 27, 2006 12:00 PM
> To: RSnake
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: RE: [WEB SECURITY] Detecting, Analyzing, and
> Exploiting Intranet Applications using JavaScript
>
> RSnake,
>
> Thanks for the note.
>
> SPI Dynamics conducted this research independently. We specifically
> state in the document that Jeremiah is also doing research in
> this area,
> and we point to his presentation at BlackHat and when and
> where it will
> be taking place. No one at SPI has seen any published material or seen
> any public presentation describing any specific techniques regarding
> this area of research. We are simply publishing the techniques that we
> identified.
>
> Take care,
> Billy Hoffman
> --
> Lead R&D Engineer
> SPI Dynamics - http://www.spidynamics.com
> Phone: 678-781-4800
> Direct: 678-781-4845
>
> -----Original Message-----
> From: RSnake [mailto:rsnake@xxxxxxxxxxxx]
> Sent: Thursday, July 27, 2006 12:31 PM
> To: Billy Hoffman
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting
> Intranet Applications using JavaScript
>
>
> SPI Dynamics is late. Jeremiah Grossman and I have been
> working on this
> for quite a while, and he presented about it at an OWASP
> meeting almost
> a month ago, with working demos:
>
> http://www.owasp.org/index.php?title=San_Jose&oldid=6982
>
> It looks like your whitepaper's first paragraph is pulled
> almost exactly
> from the first paragraph of Jeremiah's presentation overview
> (suspiciously close anyway).
>
> http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
> #Grossman
>
> Maybe it's a coincidence, but even so his demo was released
> before yours
> by nearly a month. I think it would be curteous to revise
> your paper to
> reflect as much.
>
> -RSnake
> http://ha.ckers.org/
> http://ha.ckers.org/xss.html
> http://ha.ckers.org/blog/feed/
>
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|