the world. according to koto

on security, malware, cryptography, pentesting, javascript, php and whatnots

Tuesday, June 28, 2016

Reflections on trusting CSP

›
Tldr; new changes in CSP sweep a huge number of the vulns, yet they enable new bypasses. Internet lives on, ignoring CSP. Let’s talk abou...
1 comment:
Thursday, July 31, 2014

JS crypto goto fail?

›
tldr;  A long , passionate discussion about JS crypto. Use slides for an overview. Javascript cryptography is on the rise. What used to b...
25 comments:
Saturday, March 22, 2014

When you don't have 0days. Client-side exploitation for the masses

›
Yesterday me and  @antisnatchor  gave a talk at Insomni'hack  entitled "When you don't have 0days. Client-side exploitation fo...
3 comments:
Monday, January 13, 2014

XSSing with Shakespeare: Name-calling easyXDM

›
tl;dr : window.name, DOM XSS & abusing Objects used as containers What's in a name? "What's in a name? That which we...
1 comment:
Friday, December 27, 2013

Rapportive XSSes Gmail or have yourself a merry little botnet...

›
tldr:  Learn how to code audit Handlebars applications. Xss in extension = fun times. Mosquito gets new features. It's that magic...
5 comments:
Monday, December 16, 2013

Breaking Google AppEngine webapp2 applications with a single hash

›
What's this, you think? 07667c4d55d8d81a0f0ac47b2edba75cb948d3a2$sha1$1FsWaTxdaa5i It's easy to tell that this is a salted p...
Tuesday, October 15, 2013

Exploiting EasyXDM part 2: & considered harmful

›
tldr: URL parsing is hard, always encode stuff and Safari has some interesting properties... This is a second post describing easyXDM v...
›
Home
View web version
Powered by Blogger.