chrome browser security
11 Sep 2009

Exploiting Chrome and Opera’s inbuilt ATOM/RSS reader with Script Execution and more

Update: I missed pointing out the cutting edge research done by Robert Auger in this area back in 2006. [1,2]. Also, Michal Zalewski has written about the RSS and ATOM vulnerabilities in the comprehensive Browser Security Handbook. Definitely check these links out. ============================================= SECURETHOUGHTS.COM ADVISORY – CVE-ID : CVE-2009-3263 (Chrome) – Release Date : September

Safari browser
11 Aug 2009

Hijacking Safari 4 Top Sites with Phish Bombs

Well, this one is an interesting issue I found while evaluating Safari 4 Beta (v528.16). This is not your usual XSS or CSRF bug which requires a site vulnerability, but a persistent browser backdoor that impacts all Safari 4 users using versions 4.0.2 and below. I was pretty amazed at

Opera browser
11 Aug 2009

Pwning Opera Unite with Inferno’s Eleven

Opera Unite, the upcoming version of the Opera browser has a strong vision to change how we look at the web. For those who are unknown to this radical technology, it extends your browser into a full-blown collaboration suite where you can chat with people, leave notes, share files, play media, host your sites, etc. (Wow!!). Opera

css style sheets
11 Jul 2009

Hacking CSRF Tokens using CSS History Hack

Update: Security researchers Sirdarckcat and Gareth were kind enough to share the code for a pure CSS based CSRF token finder here . This is stealthier than my PoC below, which used a combination of both JS and CSS. So, it will still work even if you disable javascript and

Internet Explorer Browser
11 May 2009

Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection

Conventions: Attacker Domain – Target Domain – If you don’t remember, there was an important XSS vulnerability reported in all major browsers a while ago – IE7, Firefox and Opera. More Information is available in the Secunia advisories here. The vulnerability was that if you don’t specify a charset in your

Tiny URL
11 Feb 2009

Unauthorized TinyURL URL Enumeration Vulnerability

I am sure everyone has heard and used TinyUrl before. If you don’t know, TinyURL is kind of a web service that provides short aliases for easy redirection to long urls. The service is completely free and hence most people are tempted to use it. It solves the hard problem of remembering