[WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Billy Hoffman Billy.Hoffman at spidynamics.com
Thu Jul 27 13:00:03 EDT 2006


RSnake,

Thanks for the note. 

SPI Dynamics conducted this research independently. We specifically
state in the document that Jeremiah is also doing research in this area,
and we point to his presentation at BlackHat and when and where it will
be taking place. No one at SPI has seen any published material or seen
any public presentation describing any specific techniques regarding
this area of research. We are simply publishing the techniques that we
identified.

Take care,
Billy Hoffman
--
Lead R&D Engineer
SPI Dynamics - http://www.spidynamics.com
Phone: 678-781-4800
Direct: 678-781-4845

-----Original Message-----
From: RSnake [mailto:rsnake at shocking.com] 
Sent: Thursday, July 27, 2006 12:31 PM
To: Billy Hoffman
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting
Intranet Applications using JavaScript


SPI Dynamics is late.  Jeremiah Grossman and I have been working on this
for quite a while, and he presented about it at an OWASP meeting almost
a month ago, with working demos:

http://www.owasp.org/index.php?title=San_Jose&oldid=6982

It looks like your whitepaper's first paragraph is pulled almost exactly
from the first paragraph of Jeremiah's presentation overview
(suspiciously close anyway).

http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman

Maybe it's a coincidence, but even so his demo was released before yours
by nearly a month.  I think it would be curteous to revise your paper to
reflect as much.

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list