The Security Blog

OpenBSD’s Network Stack

Nilesh — Sat, 22 Oct 2005 00:45:56 +0000

SecurityFocus has a great article on OpenBSD‘s network stack protection against DoS ICMP attacks, a short comparison with Linux’ stack, and some thoughts on OpenBGPD. All these new innovations are part of OpenBSD 3.8 which will be launched on November 1st.

Comprehensive Guide to nmap

Nilesh — Thu, 20 Oct 2005 01:41:56 +0000

I found an informative online book on using nmap. It has pictorial explanations of how nmap works with diagrams like these –

I am sure you will find it interesting. Check it out.

World’s first XSS Worm

Nilesh — Tue, 18 Oct 2005 01:13:49 +0000

In what could be considered as the first attempt to execute a worm (Samy/JS.Spacehero) using XSS techniques on websites, Samy demonstrated that web application developers should not take the XSS Threat lightly. Here’s an explanation of the technique he used (quoted from ilia.ws) –

He was able to inject raw HTML into his profile by breaking the normally disallowed “javascript” into components, relying on IE to “combine” it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list. The “worm” component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate.

Read the description in detail by Samy here.