[WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Arian J. Evans arian.evans at anachronic.com
Thu Jul 27 15:57:59 EDT 2006


Well that was interesting timing.

Nice js/scanner PoC, SPI Labs.

You might want to mention properly encoding output for the
specified user agent in your paper under the "Recommendations"
section. Input validation by itself is so 2001.

-ae



> -----Original Message-----
> From: Billy Hoffman [mailto:Billy.Hoffman at spidynamics.com] 
> Sent: Thursday, July 27, 2006 12:00 PM
> To: RSnake
> Cc: websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Detecting, Analyzing, and 
> Exploiting Intranet Applications using JavaScript
> 
> RSnake,
> 
> Thanks for the note. 
> 
> SPI Dynamics conducted this research independently. We specifically
> state in the document that Jeremiah is also doing research in 
> this area,
> and we point to his presentation at BlackHat and when and 
> where it will
> be taking place. No one at SPI has seen any published material or seen
> any public presentation describing any specific techniques regarding
> this area of research. We are simply publishing the techniques that we
> identified.
> 
> Take care,
> Billy Hoffman
> --
> Lead R&D Engineer
> SPI Dynamics - http://www.spidynamics.com
> Phone: 678-781-4800
> Direct: 678-781-4845
> 
> -----Original Message-----
> From: RSnake [mailto:rsnake at shocking.com] 
> Sent: Thursday, July 27, 2006 12:31 PM
> To: Billy Hoffman
> Cc: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting
> Intranet Applications using JavaScript
> 
> 
> SPI Dynamics is late.  Jeremiah Grossman and I have been 
> working on this
> for quite a while, and he presented about it at an OWASP 
> meeting almost
> a month ago, with working demos:
> 
> http://www.owasp.org/index.php?title=San_Jose&oldid=6982
> 
> It looks like your whitepaper's first paragraph is pulled 
> almost exactly
> from the first paragraph of Jeremiah's presentation overview
> (suspiciously close anyway).
> 
> http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
> #Grossman
> 
> Maybe it's a coincidence, but even so his demo was released 
> before yours
> by nearly a month.  I think it would be curteous to revise 
> your paper to
> reflect as much.
> 
> -RSnake
> http://ha.ckers.org/
> http://ha.ckers.org/xss.html
> http://ha.ckers.org/blog/feed/
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list