Category: web

  • More benchmarking in the 127.0.0.1 vs 0.0.0.0 issue

    I’ve done a little more benchmarking in the 127.0.0.1 vs. 0.0.0.0 issue: <script>var start=new Date();</script> <script src="http://ad.a8.net/foo.js"></script> <script src="http://asy.a8ww.net/foo.js"></script> <script src="http://a9rhiwa.cn/foo.js"></script> <script src="http://www.a9rhiwa.cn/foo.js"></script> <script src="http://acezip.net/foo.js"></script> <script>var stop=new Date(); alert(stop.getTime() – start.getTime());</script> What this code does, is to try to include javascript files from five sites and measure the time it takes to process these tags.…

  • User input, by any other name

    A friend of mine posed me an interesting question: how is it possible that a CMS software, which displayed the IP addresses for comments made anonymously (instead of the username) showed a private IP (like 172.16.63.15)? Before I get to the actual explanation, here are some specific clarifications which should be made: IP addresses are…

  • The state of web security

    If you are a busy (wo)man, I save you the time it would take to read this blogpost: it is deplorable. Now to elaborate on it: Yesterday I was putting together some new templates for the webhoneypot project with a focus on PHP shells. Things like r57, c99 and their derivatives. Then I looked at…

  • Build a botnet – without infecting end-users

    The idea is not new: get a lot of users to view a given webpage, to DDoS the webserver / backend (depending where the bottlenecks are). If I recall correctly, some student asked the visitors of his website to continuously refresh the page of his university and got charged for it. As many have remarked…

  • Installing the webhoneypot on OpenWrt

    This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information. An other assumption I make is that you…

  • BadwareBuster.org goes live

    Via StopBadware.org: BadwareBuster.org removes the beta label and goes live. It is a forum that tries to help people who are struggling with a malware problem, either on their home computer or on their website. What I liked: Full RSS feed to the site (so that it can be mined for malicious URL’s for research…

  • Walking with objects

    Some time ago I’ve read David Wheeler’s blogpost about using the OBJECT tag to embed HTML in your HTML :-). One of the things which peaked my interest was the question: what are the security implications of using this method? Specifically I was interested if the same cross-domain / same-policy rules applied to interaction between…

  • A few words about hackersblog

    If you read security news, you most probably have already heard about hackersblog.org. It is blog created by a couple of my compatriots who feel that just talking about vulnerabilities in web websites is not enough and they must attract attention by actively exploiting the flaws and the posting their “trophies” Zone-H style. As you…

  • Twitter Content

    And here is an other pipe: did you find it annoying that when you subscribe to the RSS feed for a Twitter account (not being a Twitter head myself – probably because I don’t have time to write short posts 😛 – I subscribe to the RSS feed rather than “follow” them) that they put…

  • DeShortify

    Update: I created a simpler version of this pipe using the API from LongURL. A positive side-effect of using the service is that it supports many more URL shortening services. Some people feel that URL shortening services like TinyURL are a security risk because they take away the user’s ability to hover over a link…