https://netsec.expert/categories/web/ Recent content in web on Sam's Hacking Wonderland Hugo -- gohugo.io en the@netsec.expert (Sam Anttila) the@netsec.expert (Sam Anttila) ©{year} Thu, 04 Nov 2021 20:17:00 +0100 weekly https://netsec.expert/posts/automating-dom-xss/ Thu, 04 Nov 2021 20:17:00 +0100 the@netsec.expert (Sam Anttila) Thu, 04 Nov 2021 20:17:00 +0100 https://netsec.expert/posts/automating-dom-xss/ This article is a brief introduction to static analysis tools to hunt for client-side web vulnerabilities while giving some examples of ways I’ve successfully employed it so you can have fun with these tools too. What’s this about static analysis anyway? Static analysis is different from dynamic analysis (e.g., black-box testing with Burp). It never actually runs any code or depends on any running processes but instead parses raw source code. Sam Anttila bug hunting web development vulnerabilities https://netsec.expert/posts/mitigation-schmitigation-xss-and-httponly/ Mon, 16 Aug 2021 20:02:11 +0100 the@netsec.expert (Sam Anttila) Mon, 16 Aug 2021 20:02:11 +0100 https://netsec.expert/posts/mitigation-schmitigation-xss-and-httponly/ Did you know the ‘HttpOnly’ cookie attribute, intended to make it so that JavaScript can not read or write a particular cookie, is more of a handwavy suggestion than a requirement? It’s true. In the modern version of Chrome, regardless of the underlying OS, you can overwrite cookies with HttpOnly set. If you’ve been around long enough in web security or perhaps dug deep into the literature on web attacks, you might know this as ‘cookie jar overflow’, ‘cookie overflow’ (my favorite because it sounds delicious), or ‘cookie forcing’, because it’s really not a new attack. Sam Anttila bug hunting vulnerabilities web