In any case, I did some presentations recently and thought I should probably put details up here.
I did a talk last November at Power of Community and XCon about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Same Origin Policy and some new ways of looking at it, where most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new material was along cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GIFAR attacks Billy Rios came up with that Nate McFeters, etc, ended up presenting at BlackHat which took a lot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wind out of my sails *shrug*, it should be interesting as it covers a lot of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things and points people in some uncommon directions, I've uploaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper I wrote and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides here:
Slides
Paper
I also did a talk at RUXCON and 25c3 with Stefano Di Paola (and I even spelled his surname correctly this time! ^_^) called Attacking Rich Internet Applications, so here are some materials:
RUXCON Slides
25c3 Video Recordings
I never ended up releasing this while it worked since I didn't want to kill a bug, but if you look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video or were at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation you may have seen me demonstrate an exploit for Tamper Data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug is almost identical to this one that I had claimed was exploitable. While my rationale in that post was incorrect (due to me testing with an old version of Tamper Data which was vulnerable in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way described), I came up with an interesting exploit for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug in Firefox 3 which could have gained me code execution by editing about:config entries.
Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PoC exploit:
//This is just a PoC, have a look through about:config for any _string_ entry you would want to change
//This bug is kind of lame, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit is cool, since it uses a Firefox bug to do damage (this should be unexploitable)
//Bug fires when a user graphs a malicious http request (open tamper data, graph cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack request)
header ("HTTP/1.1 200 OK
Mime Type: text/html\",event);' onMouseOut='hide_info();'>
?>
The bug is triggerable on old Tamper Data versions where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Graph Requests functionality worked, and if you graphed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious request/response cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit would set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 app.update.url would be set to jajaja.
The bug works by abusing a lack of access control on any objects that extensions create in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir windows (It wasn't just Tamper Data, it happened in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r extensions), where it was possible to read and modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 objects, and more importantly: call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir functions. When you called a function that an extension had created, it was executed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extension, namely chrome code.
It did not end up being necessary or useful for this exploits, however it was possible to call those functions and completely control all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data, etc, via calls such as opener.oTamper.whatever_function.apply(our_obj).
In any case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 access control bug died some time in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few Firefox 3.0.X releases, but I'm not really sure which since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphing functionality in Tamper Data hasn't been working for even longer, and it got to be too much effort to double check it.
I also did a presentation at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Australia Conference in February titled "Examining and Bypassing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IE8 XSS Filter", which might be some nice background for people, but will probably be greatly surpassed by sirdarckcat & thornmaker's upcoming Black Hat presentation. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Slides.
I also did a presentation on Writing Better XSS Payloads at EUSecWest in May, however I haven't uploaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides since I'm trying to submit it to Hack In The Box Malaysia to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material reach a wider audience, so unless it is rejected, you'll have to wait until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n to see it... Or email me.
And that's all for now...