ush.it - a beautiful place

HttpOnly Cookies Reference

December 22, 2006 at 5:20 am - Filed under Reports, Insecurity, Language EN - 1274 words, reading time ~4 minutes - Permalink - Comments

This is a collection of resources on the topic. Some of these methods are not bullet proof but will help you develop some proactive security when writing new web applications and when hardening the existing ones.

IE7 ping back home, MS and your browsing history

December 20, 2006 at 9:15 pm - Filed under Insecurity, Language EN - 299 words, reading time ~0 minutes - Permalink - Comments

Is seems that Microsoft Internet Explorer 7 with the phishing filter active ping back home for every URL requested. This could be the default in many environments.

Poste Italiane privatizza i CAP, la FSFE li libera

November 15, 2006 at 5:03 pm - Filed under Reports, Language IT - 330 words, reading time ~1 minutes - Permalink - Comments

Fino a qualche giorno fa, Poste Italiane SPA e il Ministero delle Comunicazioni forniva sui rispettivi siti web l'elenco dei CAP delle localita' italiane gratuitamente e in formato universalmente accessibile.

HttpOnly Cookies and Mozilla Firefox

July 28, 2006 at 12:04 am - Filed under Hacks, Language EN - 800 words, reading time ~2 minutes - Permalink - Comments

This is an english translation of "HttpOnly e Firefox" a whitepaper of my friend Stefano Di Paola written in italian.
Versione originale italiana: http://www.wisec.it/sectou.php

EXIF Phun

May 30, 2006 at 3:00 pm - Filed under Hacks, Language IT - 1130 words, reading time ~3 minutes - Permalink - Comments

WARNING: MASSIVE PR0N USE

LugVR Contest 01: Google Maps Reverse Solution

May 9, 2006 at 9:52 pm - Filed under Hacks, Language IT - 1944 words, reading time ~6 minutes - Permalink - Comments

Google Maps reversato, questa e' la soluzione del primo LugVR Contest con argomento: reverse di Google Maps. Visita l'articolo di inizio contest per maggiori informazioni. Nota: questo reverse di Google Maps e' stato effettuato da zero, ignorando le altre risorse sull'argomento, che comunque trovate listate a fondo articolo.

LugVR Contest 01: Google Maps Reverse

May 9, 2006 at 8:44 pm - Filed under Hacks, Language IT - 571 words, reading time ~1 minutes - Permalink - Comments

Il 7 e' terminato il primo LugVR Contest, argomento: reverse di Google Maps. Interessante vero? Per tutti quelli che si sono stancati di usare le API e l'interfaccia ufficiale. Il prossimo articolo sara' la soluzione del contest.

Pratical XSS n1

April 14, 2006 at 3:06 am - Filed under Hacks, Language EN - 503 words, reading time ~1 minutes - Permalink - Comments

This is a short email i wrote in reply to v9 AT fakehalo.us on vuln-dev@securityfocus.com focused on how to exploit XSS vulnerabilities in the real world.

Milkeyway Captive Portal Multiple Vulnerabilities

March 16, 2006 at 3:31 am - Filed under Hacks, Language EN - 560 words, reading time ~1 minutes - Permalink - Comments

Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some XSS vulnerabilities.

Arin.net XSS

March 3, 2006 at 8:55 pm - Filed under Insecurity, Language EN - 128 words, reading time ~0 minutes - Permalink - Comments

J u a n wrote:
> On 3/3/06, Alexander Hristov <joffer@gmail.com> wrote:
>> Just tested : http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22
>> javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>> it still works for me
> works for me on internet explorer, didn't work with firefox 1.5

PmWiki remote file inclusion exploit

February 1, 2006 at 3:59 am - Filed under Hacks, Language EN - 881 words, reading time ~2 minutes - Permalink - Comments

The purpose of this article is to make easily understandable the impact of some vulns exposed in the PmWiki Multiple Vulnerabilities and PHP5 Globals Vulnerability advisories.

Port scanning with online services

January 29, 2006 at 3:12 am - Filed under Hacks, Insecurity, Language EN - 45 words, reading time ~0 minutes - Permalink - Comments

Some service misuse examples.

PHP5 Globals Vulnerability

January 25, 2006 at 9:30 pm - Filed under Hacks, Language EN - 769 words, reading time ~2 minutes - Permalink - Comments

PHP5 Globals Vulnerability: with ?GLOBALS[foobar] you can set the value of the un-initialized $foobar variable.

PmWiki Multiple Vulnerabilities

January 24, 2006 at 7:23 pm - Filed under Hacks, Language EN - 1063 words, reading time ~3 minutes - Permalink - Comments

This is both a PmWiki and PHP advisory, and works only with register_globals on. I totally missed the PHP GLOBALS[] GPC injection vulnerability and rediscovered that by my own (if just few month before! arg!). Basically in the worst scenario we are in front of two separate vulnerabilities: one regarding arbitrary remote file inclusion and code execution in PmWiki on PHP 5.x with globals on and the other about the reintroduction of a bug that should have been fixed in 5.0.5 but work (at last) on the 2 most recent version of PHP5.

Google XSS Example

January 15, 2006 at 12:37 am - Filed under Insecurity, Language IT - 266 words, reading time ~0 minutes - Permalink - Comments

L'articolo e' una traduzione in italiano di Google XSS Example.

Port scanner with dnsstuff

January 14, 2006 at 6:47 pm - Filed under Hacks, Insecurity, Language EN - 805 words, reading time ~2 minutes - Permalink - Comments

Dnsstuff is a great service often integrated in browser, widget and extension. They offer a number of tests (DNS Report, DNS Timing, WHOIS Lookup, Abuse Lookup, Domain Info, Spam database lookup, Reverse DNS lookup, IPWHOIS Lookup, City From IP, IP Routing Lookup, DNS lookup, Traceroute, Ping, ISP cached DNS lookup) and other conversion/math tools (URL deobfuscator, Free E-mail Lookup, CIDR/Netmask, E-mail Test, CSE HTML Validator, Decimal IPs). When applicable the tool is both ipv4 and ipv6 capable.

THP USH Wisec DigitalBullets