tag:blogger.com,1999:blog-32456897384968098892012-04-13T02:37:28.915+02:00Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-3245689738496809889.post-9923677276857005412012-01-08T20:55:00.001+01:002012-01-09T09:06:06.772+01:002012-01-09T09:06:06.772+01:00

Practically there is no place around the world focusing on IT Security conferences. I did not know anything like this ever, so I created a calendar of events (most interesting from my point of view) on this blog. Unfortunately, updates and keeping it fresh was too much time consuming so stopped him updating. Fortunately, in the wild has appeard the great service secore.info, which aggregates <img src="http://feeds.feedburner.com/~r/websecrooted/~4/qgscfz5wZ0o" height="1" width="1"/>

Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.com0http://websec.rooted.pl/2012/01/it-security-central-point-of.htmltag:blogger.com,1999:blog-3245689738496809889.post-40364766336811901872011-07-16T10:52:00.048+02:002011-07-25T17:42:15.566+02:002011-07-25T17:42:15.566+02:00

I would like to draw attention to use of framebusting in many websites. Modern browsers with HTML5 support require a different approach to this problem. Briefly I would like to remind you that framebusting is a technique to protect against so called clickjacking (wiki). Commonly there are used two methods to avoid this attack vector: HTTP header X-FRAME-OPTIONS with values DENY or <img src="http://feeds.feedburner.com/~r/websecrooted/~4/inXbBJsJ9uE" height="1" width="1"/>

Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.com1http://websec.rooted.pl/2011/07/more-accurate-framebusting.htmltag:blogger.com,1999:blog-3245689738496809889.post-27376876293879003872011-05-27T19:13:00.003+02:002012-01-09T23:26:58.890+01:002012-01-09T23:26:58.890+01:00

In Chrome web browser was found the design flaw that can be used to make universal XSS attacks. The bug is in the same time a browser feature because it is used for code completion, which was just poorly coded (i.e. missing something small such as a closed tag or quotation). So in this code: &lt;img src=1 onerror=alert(1);character will be replaced to allow proper execution code snippet for example<img src="http://feeds.feedburner.com/~r/websecrooted/~4/XKa2Y6v_JM0" height="1" width="1"/>

Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.com0http://websec.rooted.pl/2011/05/chrome-omijanie-filtru-anty-xss.htmltag:blogger.com,1999:blog-3245689738496809889.post-73389713526696601882011-04-26T23:53:00.008+02:002012-01-09T23:19:17.236+01:002012-01-09T23:19:17.236+01:00

I add to the stuff a few JavaScript scripts that can help in the rapid encoding or decoding of characters HTML and more (click) There are only a few though but it was fast written and the list of scripts will increase. If you need any additional tools or hand-saw things to have here or other proposals - let me know.<img src="http://feeds.feedburner.com/~r/websecrooted/~4/5FeJdbk0L5E" height="1" width="1"/>

Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.com0http://websec.rooted.pl/2011/04/niezbednik-web-pentestera.htmltag:blogger.com,1999:blog-3245689738496809889.post-61141478390045778432011-04-17T11:51:00.001+02:002012-01-09T23:14:11.538+01:002012-01-09T23:14:11.538+01:00

It happened. I forced myself to breathe life into this site:) First of all it should be mentioned a word about websec and why websec. I don't like greetings so it will be brief. WebSec is a special case of information security. Special because of the popularity of web applications. These days most of the technology arrangements "for the people" are created mainly in web technologies. Why? <img src="http://feeds.feedburner.com/~r/websecrooted/~4/1oIZ3_GP8Rg" height="1" width="1"/>

Dawid Skomskihttp://www.blogger.com/profile/02937543690676014189noreply@blogger.com0http://websec.rooted.pl/2011/04/test-ride.html