To me this XSS on LivingSocial was kind of fun. First of all the injection point was the first name of the user, which ... Continue Reading
GoGrid CSRF / XSSAfter announcing a breach of payment information and an audit from a leading security firm, GoGrid's enhanced login page contained a cross-site scritping vulnerability that ... Continue Reading
Stealing BitcoinsBitcoin is a Peer 2 Peer virtual currency that has been getting a giant pile of attention lately. I have seen comments on it ... Continue Reading
Django info leakThe Django admin in releases 1.1.2, 1.2.3 and earlier have a information leakage vulnerability.
Here is a theoretical setup, similar to the video to explain ... Continue Reading
Nagios XI 2009R1.2B is vulnerable to multiple cross-site request forgery (CSRF) vulnerabilities. All of the privileged actions tested were vulnerable to CSRF.
Exploiting the identified ... Continue Reading
rd.io is a bad ass music app. When it first released I didn't have a beta invite. Everyone it seemed was talking about it, but ... Continue Reading
Gowalla DecloakThis video should be pretty self explanatory. Gowalla gives users the option to make private passports (profiles) so that only their friends can see checkins ... Continue Reading
MiFi GeoPwnThe MiFi by Novatel Wireless (re-branded and sold by multiple vendors such as Sprint and Verizon) is a mobile wifi hotspot. The mifi also ... Continue Reading
Ustream.tv Show PwnHey look everyone, yet another demonstration of how cross-site scripting (XSS) can be used for evil. This time we find ourselves at ustream.tv and yet ... Continue Reading
CloudKick TakeoverThis video demonstrates a flaw found in a large number of sites. It still makes me chuckle that the cloud is supposed to be this ... Continue Reading
Kayako SupportSuiteHere is a quick video demonstrating a fun cross-site scripting I found in Kayako SupportSuite. It shows an interesting side of XSS that scanners rarely ... Continue Reading
Rackspace CloudThis video is a follow-on to the previous Rackspace cloud video on stealing Rackspace API keys using XSS.
In the Rackspace cloud when you ... Continue Reading
Ever wanted to know what somebody is hiding in their Rackspace cloud files account? The vulnerability that is demonstrated here is cross-site scripting (xss) due ... Continue Reading
Basecamp 0wn3dSo it's possible to compromise a Basecamp account when the victim, with a valid session, clicks on a link. I think this is a bad ... Continue Reading
Open-Realty TakeoverOpen-Realty combined with a misconfigured web server provides for a really bad day if an agent goes rogue or if an agents account is compromised. ... Continue Reading
Site by &yet Web Design