Comments for matthewhughes.co.uk

Comment on Announcing Security BSD 0.02 – Codename: Banal by Averroes

Averroes — Thu, 02 Sep 2010 15:52:07 +0000

eagerly awaiting the elaboration!

Comment on Please Spam Me – A study into the language of 419 scams, spam and phishing. by Matthew Hughes

Matthew Hughes — Thu, 02 Sep 2010 14:40:44 +0000

Goddammit, so you heard of my grudge with bliddle58 too?

Comment on Please Spam Me – A study into the language of 419 scams, spam and phishing. by thomas mackenzie

thomas mackenzie — Thu, 02 Sep 2010 14:14:36 +0000

this is a lie and your just trying to spam someone aren’t you!

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by rich

rich — Tue, 20 Jul 2010 05:21:26 +0000

It says “Log in to DVWA with the username ‘admin’ and password ‘Password’” but it’s actually ‘password’ all lowercase.

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by lenards

lenards — Sun, 18 Jul 2010 19:48:28 +0000

Along the boat maker analogy, one of the biggest failures in history re shipwrights or boat construction was the Vasa:

http://en.wikipedia.org/wiki/Vasa_%28ship%29

Neal Ford often talks about it as a meme that should be spread in the software development as a beautiful cautionary tale of the need to test, speak up, and not allow “The King” to force a project’s failure.

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by lenards

lenards — Sun, 18 Jul 2010 19:46:11 +0000

Isn’t one choice to use the DVWA LiveCD and install it in VMWare/VirtualBox/etc? Or would the DVWA LiveCD also need XAMPP?

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by ethicalhack3r

ethicalhack3r — Sat, 17 Jul 2010 11:25:06 +0000

@Jigme Datse Rasku
Maybe you forgot to set the security level to low?

1) What is XSS?
XSS is better understood when called HTML injection. As the name XSS (Cross Site Scripting) implies that client side scripting code or Javascript more specifically is needed for successful exploitation. When in fact XSS can be exploited with just pure HTML. The name XSS can be confusing however if you think of it as simply injecting your own HTML into a web application then you can begin to understand its implications.

2) Why is this considered XSS?
Cross Site Scripting is when you inject code which is not from the same origin (web application). Meaning you bypass same origin policies.

3) How do we fix this?
On a non technical level it is down to the software development culture. Developers are pushed to meet deadlines, as long as the code does what was set out in the original spec, the boss is happy. Implementing a Secure Development Life Cycle (SDLC) costs software vendors time and money. What needs to happen is that software vendors be legally accountable for the quality of their code. The cost for bad coding is very much pushed on to the consumer. Until the vendors have an incentive to write good secure code, why bother, it will only cost them more money.

On a technical level, good input and output sanitation on all user supplied input, regular source code or black box assessments by some one other than the development team. As a user there is the NoScript Firefox plugin and IE8’s XSS filter. Both cannot 100% protect you however are a good start.

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by Matthew Hughes

Matthew Hughes — Fri, 16 Jul 2010 23:32:37 +0000

1.) That was a typo that was corrected a few minutes after publication. Admin and Password is the correct login.
2.) I just tried it on my own computer, and it worked fine. Are you sure you’re doing it right? < s c r i p t > a l e r t ( ‘ x s s ‘ ) ; < / s c r i p t > is what you need to type in, minus the spaces. I just tried it at home on both Chrome and Firefox and it worked perfectly.

I answered your questions in the post, but with not that much depth. I’ll make another post explaining XSS in more detail.

Comment on University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS by Jigme Datse Rasku

Jigme Datse Rasku — Fri, 16 Jul 2010 22:50:56 +0000

A few issues:

1) there is no ‘DVWA’ account created with my version of DVWA, there is an ‘admin’ account with password ‘password’.
2) the ‘alert(‘xss’);’ has no *visible* effect on Chrome, or Firefox. Not sure why this is, I’m not very familiar with Javascript so I’m not sure what the issue might be.

A couple of questions:

1) What is XSS?
2) Why is this considered XSS?
3) How do we fix this?

Thanks,

Jigme

Comment on A Brief Guide To The LIGATT Saga by B_Real

B_Real — Wed, 07 Jul 2010 15:47:35 +0000

This nonsense with Evan’s criminal record has gone on for too long. Who cares if he was a felon or not? Anybody in a free market system can create their own companies and make a living, even reformed criminals. Ligatt has like 5 offices and government contracts according to their website, so I guess the government forgave him.