-
The right way to embed
-
More benchmarking in the 127.0.0.1 vs 0.0.0.0 issue
I’ve done a little more benchmarking in the 127.0.0.1 vs. 0.0.0.0 issue: <script>var start=new Date();</script> <script src="http://ad.a8.net/foo.js"></script> <script src="http://asy.a8ww.net/foo.js"></script> <script src="http://a9rhiwa.cn/foo.js"></script> <script src="http://www.a9rhiwa.cn/foo.js"></script> <script src="http://acezip.net/foo.js"></script> <script>var stop=new Date(); alert(stop.getTime() – start.getTime());</script> What this code does, is to try to include javascript files from five sites and measure the time it takes to process these tags.…
-
User input, by any other name
A friend of mine posed me an interesting question: how is it possible that a CMS software, which displayed the IP addresses for comments made anonymously (instead of the username) showed a private IP (like 172.16.63.15)? Before I get to the actual explanation, here are some specific clarifications which should be made: IP addresses are…
-
The state of web security
-
Build a botnet – without infecting end-users
The idea is not new: get a lot of users to view a given webpage, to DDoS the webserver / backend (depending where the bottlenecks are). If I recall correctly, some student asked the visitors of his website to continuously refresh the page of his university and got charged for it. As many have remarked…
-
Installing the webhoneypot on OpenWrt
This is a raw tutorial for installing webhoneypot on a router running OpenWrt. The used version is Kamikaze 8.09 (this can be important because commands change between version). The tutorial is not 100% complete and I will update it in the future when I learn new information. An other assumption I make is that you…
-
BadwareBuster.org goes live
Via StopBadware.org: BadwareBuster.org removes the beta label and goes live. It is a forum that tries to help people who are struggling with a malware problem, either on their home computer or on their website. What I liked: Full RSS feed to the site (so that it can be mined for malicious URL’s for research…
-
Walking with objects
Some time ago I’ve read David Wheeler’s blogpost about using the OBJECT tag to embed HTML in your HTML :-). One of the things which peaked my interest was the question: what are the security implications of using this method? Specifically I was interested if the same cross-domain / same-policy rules applied to interaction between…
-
A few words about hackersblog
If you read security news, you most probably have already heard about hackersblog.org. It is blog created by a couple of my compatriots who feel that just talking about vulnerabilities in web websites is not enough and they must attract attention by actively exploiting the flaws and the posting their “trophies” Zone-H style. As you…
-
Twitter Content