skip to main
|
skip to sidebar
MasterPass and PayPal
9 Jun 2012
Slides "Rails & Security" from Devconf, Moscow
Newer Post
Older Post
Home
Popular Posts
Octocat Tattoo
of course it's not a real one
Evolution of Open Redirect Vulnerability.
TL;DR ///host.com is parsed as relative-path URL by server side libraries, but Chrome and Firefox violate RFC and load http://host.com inst...
Path Encoding Vulnerability in https/www redirects.
Playing with 302-based header injection (majority of web servers is not vulnerable to it btw) i found one tricky neat bug which can be reall...
How we hacked Facebook with OAuth2 and Chrome bugs
TL;DR We (me and @isciurus ) chained several different bugs in Facebook, OAuth2 and Google Chrome to craft an interesting exploit. Mallory...
Token Fixation in Paypal
Remember OAuth1 session fixation? No? Read writeup from Eran Hammer (the guy who hates OAuth2 as much as I do). Guess what - there's ex...
Two "WontFix" vulnerabilities in Facebook Connect
TL;DR Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying o...
Turbo API: How to use CORS without Preflights
From official doc on Cross Origin Resource Sharing A header is said to be a simple header if the header field name is an ASCII case-ins...
Header injection in Sinatra/Rack
Try to run this simple app: require 'sinatra' get '/' do redirect params[:to] if params[:to].start_with? 'http://host....
J.Crew Factory: Get 50% off the entire store
" Thanks! " to many of you, who shared the following promotion for J.Crew Factory. J.Crew is offering Factory Store shoppers a...
Last Day: Extra 40-50% Off Sale
J.Crew is sending out yet another email, reminding customers that they are still running 4 0% off Final Sale (& 50% off select items) w...