Category Archives: Breaking stuff

Disclaimer: Everything that I say in this blog post about ShapeSecurity and their ShapeShifter product, is based on their YouTube video, their description of their product on their pages, and an article on PandoDaily. As such, the product may be … Continue reading →

I discovered Ghostery in the summer of 2012, when I was researching web-tracking and specifically web-tracking done through web fingerprinting. Ghostery is a really cool browser extension which helped me identify the domains that popular web fingerprinters used to deliver … Continue reading →

On my usual daily visit of Slashdot, I read that McAfee introduced a new application called “McAfee Social Protection” for Facebook. In a nutshell, you install their plugin, allow their application to control quite a bit of your Facebook and … Continue reading →

I’ve been recently reading Michal Zalewski’s “The Tangled Web”, a book which tries to map the whole security landscape around browsers and Web applications in about 300 pages… it does a pretty good job 🙂 Now, in Chapter 9, he … Continue reading →

Did you know that if you use a popular cheap web hosting product and you haven’t changed the default error pages of your sites, you are most likely hosting an open redirect? If not, read on 🙂 Suppose for a … Continue reading →

I still remember the good old days when I would just write “javascript:alert(document.cookie)” in my address bar and the browser would happily show me the JavaScript-accessible cookie values for the current domain. These were simpler days… Mid-2011 the developers of … Continue reading →

Its been a while since my last post so I decided to make it worthwhile :). I was recently checking a friend’s site for the classic Web application vulnerabilities, when I found a reflected XSS attack. While I was investigating … Continue reading →