Inter-protocol Exploitation and Communication papers
Security: Submitted by Wade on 19-Apr-07 at 02:04pm
Two papers are now available that demonstrate inter-protocol security issues - Inter-protocol Communication and Inter-protocol Exploitation. Among other things they show the practicality of encapsulating exploit code in one protocol to compromise a program which uses a different protocol.
An example is provided that shows how a web browser can launch a MetaSploit type exploit to own an Asterisk server. Of course, this raises concerns over the (in)effectiveness of firewalls against this attack.
Advanced Cross-site Scipting Virus Paper
Security: Submitted by Wade on 30-Jan-07 at 11:34am
This paper explores the real potential of the web being infected with a cross-site scripting virus that autonomously searches for, and employs, new vulnerabilities for propagation.
BeEF (Browser Exploitation Framework) Beta Released
Security: Submitted by Wade on 24-Aug-06 at 07:13pm
BeEF the browser exploitation framework has been released. The current version is beta and still a work in progress but it should be easy to install.
Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.
HTTP Penetration Suite
Security: Submitted by Wade on 02-Aug-06 at 07:56pm
Attacks from browsers are increasing in sophistication and researchers are focusing more resources in this area. Recently, a javascript port scanner was published that was based on a SPI Dynamics paper. The scanner is entirely encapsulated within the web browser.
It doesn’t take an Einstein to start linking web application attack vectors. In the “Inter-browser Communication” (IBC) blog I illustrated one basic method to maintain indirect real-time control over a browser (including data transfer). Using IBC it possible to load tools (in real-time) such as a port scanner to the controlled browser and retrieve the results. Following this logic, an entire HTTP Suite can be developed to attack internal networks using the browser as an unsuspecting proxy. Not to mention the extra dimensions that XSS viruses add.
The Biological-Digital Bridge (BDB)
Security: Submitted by Wade on 12-Jun-06 at 12:58pm
Possible, probable, impossible, hypothetical, conspiracy, aliens, or a moot debate... Mapping the human genome completed in 2003 and today scientists within the realm of Genetic Engineering manipulate the DNA sequence of cells, usually with the aim of expressing a protein . Software is an integral part of this technology, allowing DNA sequences to be read, manipulated (written), cataloged and processed.
More...
Inter-browser Commutation
Security: Submitted by Wade on 28-May-06 at 10:59pm
Cross-site scripting (XSS) models are commonly thought to be the server controlling the browser. That is, all commands have come from code residing on the server. This is not necessarily the case. Control can be one browser (in)directly controlling/communicating to another. One method of browser-to-browser communication is employing an intermediate web server.
More...
Details are still emerging, but it looks like