Malerisch.net

Copyright Malerisch.net 2008, all rights reserved. Mon, 24 Nov 2008 06:25:27 GMT Malerisch.net :: Site dedicated to security research, tools and articles http://malerisch.net/ Malerisch.net http://tinyurl.com/2s935s en-gb Multiple Adobe Products - XML External Entity And XML Injection http://malerisch.net/docs/advisories/2010-02-22_multiple_adobe_products_xml_external_entity_-_xml_injection.html 22/02/2010 - Multiple Adobe Products are vulnerable to XML External Entity (XXE) and XML Injection attacks. advisory Mon, 22 Feb 2010 01:00:00 GMT Defcon 17 Video Online http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Liverani 24/01/2010 - The video of our Defcon 17 presentation is finally online and it is available from the Defcon web site. Some live demos are included in the second part of the talk. Enjoy! Sun, 24 Jan 2010 10:00:00 GMT Another Firefox Extension advisory http://security-assessment.com/files/advisories/Yoono_Firefox_Extension_Privileged_Code_Injection.pdf 13/01/2010 - This comes from Nick Freeman and affects the Yoono Firefox extension. A very sweet bug ;-). Wed, 13 Jan 2010 10:00:00 GMT SecurityByte & OWASP AppSec Asia 2009 and three 0days released http://www.net-security.org/secworld.php?id=8527 19/11/2009 - I have been talking at the SecurityByte and OWASP AppSec Asia 2009 conference in India, Gurgaon. It was my first time there and as I love travelling, I coulnd't miss this opportunity. The conference was great, well organised and I have met very interesting people. Definitely recommended! During the talk, three 0days were finally released, which myself and Nick Freeman previously disclosed to the vendors. A video interview was also published online, just after the conference. Sat, 19 Nov 2009 10:00:00 GMT Twitter XSS http://sites.google.com/site/tentacoloviola/twitterhorror 14/11/2009 - Not sure if some people noticed, but an interesting XSS vector was found affecting the Twitter web site last November, by Rosario Valotta. When Rosario contacted me, I couldn't believe when looking at the XSS payload. After some talking, I suggested the use of document.write to bypass some Twitter input filtering controls. This allowed Rosario's injection to include a script tag as well. The bug was also disclosed on Full-Disclosure. I just wonder about the so "many" implications of having that kind of XSS bug on Twitter. Happy to not use Twitter ;-) Mon, 14 Nov 2009 10:00:00 GMT 2 Firefox Extensions Chrome Privileged Code Injection http://malerisch.net/docs/security_docs.html 25/08/2009 - Coolpreviews and Update Scanner Firefox Extensions are vulnerable to Cross Site Scripting injection. coolpreviews advisory - update scanner advisory. Tue, 25 Aug 2009 10:00:00 GMT 2 Firefox Extensions Chrome Privileged Code Injection http://malerisch.net/docs/security_docs.html 25/08/2009 - Coolpreviews and Update Scanner Firefox Extensions are vulnerable to Cross Site Scripting injection. coolpreviews advisory - update scanner advisory. Tue, 25 Aug 2009 10:00:00 GMT Exploiting Firefox Extensions - Interview on Risky.biz http://www.risky.biz/netcasts/rb2/rb2-owasp-day-podcast-exploiting-firefox-extensions 24/08/2009 - Risky.biz recently published our interview with Paul Craig at the OWASP New Zealand Day about exploiting Firefox extensions. Mon, 24 Aug 2009 10:00:00 GMT Defcon 17 - Presentation http://www.malerisch.net/docs/defcon17/roberto_suggi_liverani_nick_freeman_abusing_firefox_extensions_defcon17.pdf 24/08/2009 - Defcon was great and we have managed to upload our presentation ;-)- download Mon, 24 Aug 2009 10:00:00 GMT Defcon 17 http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Liverani 24/07/2009 - Myself and Nick Freeman are going to Las Vegas to present at Defcon 17 on "Abusing Firefox extensions". This time we will show more exploits and bugs ;-). We are on track 4 - 2pm. Check the Defcon schedule. Mon, 24 Jul 2009 10:00:00 GMT Backdooring Windows Media Files http://sites.google.com/site/tentacoloviola/backdooring-windows-media-files 20/07/2009 - Rosario Valotta recently released a comprehensive white paper on "Backdooring Windows Media Files". Many interesting points are covered, especially intranet scanning and ftp attacks via SAMI files. More info on his blog. Mon, 20 Jul 2009 10:00:00 GMT OWASP New Zealand Day 2009 http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations 13/07/2009 - OWASP NZ Day has been a great event with more than 150 attendees, 7 talks, lot of drinks and fun! ;-) The presentations have been published online and are available for download. Key points of the day are covered in an excellent article of Kirk Jackson. Mon, 13 Jul 2009 10:00:00 GMT OWASP New Zealand Day 2009 - Speakers announcement http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Speakers 08/06/2009 - Speakers have been announced for the OWASP NZ Day 2009 conference! Also, more than one hundred of registered people attending! Great result! ;-) Mon, 08 Jun 2009 10:00:00 GMT EUSecWest 2009 http://malerisch.net/docs/eusecwest09_exploiting_firefox_extensions/eusecwest09_-_Roberto_Suggi_Liverani_-_Nick Freeman_-_Exploiting_Firefox_Extensions.pdf 07/06/2009 - Just came back from Europe, London, after been presenting at EUSecWest about "Exploiting Firefox Extensions" with Nick Freeman. It was a really cool conference with very good topics. Our presentation slides are online. Sun, 07 Jun 2009 10:00:00 GMT OWASP Testing Guide v3.0 http://www.lulu.com/content/5691953 05/03/2009 - OWASP Testing Guide v3.0 has been recently published. I partially contributed to it. For those interested, it is also available as a printed book from Lulu. Thu, 05 Mar 2000 10:00:00 GMT Google Analytics - Stored Cross Site Scripting http://malerisch.net/docs/advisories/google_analytics_stored_cross_scripting.html 08/12/2008 - Google Analytics is vulnerable to Stored Cross Site Scripting. A malicious user is able to inject arbitrary browser content through web sites subscribed to the Google Analytics service. Mon, 08 Dec 2008 10:00:00 GMT sed v0.2 http://malerisch.net/tools/negativeseo/sed.html 25/11/2008 - search engine de-optimisation tool update. Tue, 25 Nov 2008 12:00:00 GMT opera stored cross site scripting http://malerisch.net/docs/advisories/opera_stored_cross_site_scripting.html 22/10/2008 - Opera browser is vulnerable to stored Cross Site Scripting. A malicious attacker is able to inject arbitrary browser content through the websites visited with the Opera. Wed, 22 Oct 2008 10:00:00 GMT sed v0.1 http://malerisch.net/tools/negativeseo/sed.html 28/09/2008 - search engine de-optimisation tool released. Tue, 28 Oct 2008 12:00:00 GMT Ruxcon 2008 http://www.ruxcon.org.au/presentations.shtml#15 12/09/2008 - I will also speaking at Ruxcon about negative SEO. Don't miss this talk if you can't make it at Kiwicon! ;-) Fri, 12 Sep 2008 12:00:00 GMT browser security http://malerisch.net/docs/browser_security/browser_security.ppt 07/09/2008 - I have done some research in the area of browser security and presented this argument at the last OWASP NZ meeting. Sun, 07 Sep 2008 12:00:00 GMT Kiwicon 2008 http://www.kiwicon.org/presentations#Roberto%20Suggi%20Liverani 01/09/2008 - I will be speaking at Kiwicon about negative SEO. Don't miss this talk if you love playing with search engines ;-) . Mon, 01 Sep 2008 12:00:00 GMT