Archive for web

[hackersmag] Don’t SSL-ify full site until SSL is itself Secure

Posted in ABK Labs, security with tags , , , , , , , , , on April 3, 2011 by abhishekkr [30/03/2011]

Full Site SSL-ification is not an option, need to make SSL secure first

I have  heard (Recently and in past) security aware lives wasting a lot of their potential over the argument like
+ ‘Basic HTTP is insecure‘ {sometimes in novice past}
+ ‘SSL-ify entire web service‘ {still a lot push is there}
Now, ‘Basic HTTP’ being insecure is not a flaw by design… but a flaw by choice.

Though it has been haunting the websites by attacks like
+[] SSL Stripping:
It’s due to……….
+[] Sidejacking:
It occurs……….
Then, ‘Full Site SSL-ification’ is a good choice from theoretical security point-of-view, but just in theory.
Different SSL-Defeating attacks involving
+[] Flaws in Libraries like NSS:
There was a……….
+[] Fake SSL Certificate generation:
Not a flaw……….
So, if you will look deeper into serial-murder case file of   SSL Certificates, you’ll see it ain’t safe…
and so there is no point in argument over its mixed/full   implementation.
…click here to read in detail

[hackersmag] bypass user level restrictions, bug-case in ‘’

Posted in AbhishekKr, ABK Labs, security with tags , , , , , , , , , , on December 21, 2010 by abhishekkr

@ [21/Dec/2010]


access-video@Vimeo: [view/download original nice resolution video here]

bypass of user level restrictions, a case of bug in ‘’

So, here is a bug (which  has now been fixed) in… that allowed users to get a local copy of documents which were devoid of download and print options.

It’s how layered limitation can be broken, and why restrictions must be implemented root-level-up and not just as user-level module.

…click here to read full blog-post and view real-case video

[] Zozzle (Microsoft’s Javascript-Malware Analysis Tool)

Posted in AbhishekKr, Blogroll, security with tags , , , , , , , , , , , on December 10, 2010 by abhishekkr [9/Dec/2010]

Zozzle (Microsoft’s Javascript-Malware Analysis Tool)

in a sentence Zozzle is a static web-page analyzer for detecting ‘Heap-Spray Exploits’

[ 3-Things It Is ]

+ a product of

…click here to Read the full post

[] XSS Defeating PoC

Posted in Blogroll, security with tags , , , , , , , , , , , , , , , , , on September 7, 2010 by abhishekkr

@ [6/Sep/2010]

Video Demo of the same PoC:
WhitePaper is also available at SourceForge link above
I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.
This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user’s browser.

…….click here to read full BlogPost