Thursday, February 15, 2007

Reflection on RSnake


If you have heard of XSS cheat sheet or http://ha.ckers.org/ cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you already know him. His name is Robert Hansen or more popularly known as RSnake. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any mention of XSS, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org/ and http://sla.ckers.org/ ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most referenced link in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec space with 27000 hits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 month of January ’07 alone and http://ha.ckers.org/ has around 10,000 unique visitors per day (not counting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSS feeds) making it probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most followed blog in webappsec field. He has shared his technical expertise with a lot of industry professionals in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work including but not limited to working with Microsoft engineers to address XSS issue, Cloaking to Stop Scraping, and his discussion with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chilling effect.

Looking at his past, he started hacking when he entered college, which was when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web applications were just getting started. In his words

"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and make my millions. I took angel funding for a project, and everything seemed to be going well, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stock market crashed, investment money dried up and I learned a hard lesson. It was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for webfringe.com (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. It's a pleasure to host security sites, because I get great visibility into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques and tools.”

RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC meetup I got a chance to meet with him, and for a person who is known and respected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community. I say some because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information below does not represent all his work. Even he has lost track of some of his work over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years.

Articles / Books

PGP Man in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Middle Attack

AcuTrust Entropy Attacks

Hardening HTAccess, Part One

Hardening HTAccess, Part Two

Hardening HTAccess, Part Three

Accessing Trillian Pro Remotely and Through an Encrypted Tunnel

Death By 1000 Cuts – a Case Study
http://ha.ckers.org/deathby1000cuts/

Is your money safe?
http://ha.ckers.org/old/

Electronic Commerce Insecurity
http://ha.ckers.org/old/10102002.shtml

Internet Mind Games
http://ha.ckers.org/old/07221998.shtml

Apache Information Disclosure Issues or, "How to detect cloaking"
http://www.secureseo.com/blog/2006/04_07_apache_information_disclosure_issues.html

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense


Tools written by him:-

Fierce
http://ha.ckers.org/fierce/

MHTML framework
http://ha.ckers.org/weird/mhtml.zip

XSS fuzzer
http://ha.ckers.org/fuzzer/XSSFuzz.zip


Contributions:-

Lots of changes to browser technology over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years. Started a number of security sites, written hundreds of articles, dozens of tools and many sample PoC. He has also presented at Blackhat USA and Networld+Interop on a Security Information Management roundtable (couldn’t find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 url)


Blogs:-

Web Application Security Blog
http://ha.ckers.org/

Snake Bytes
http://www.darkreading.com/blog.asp?blog_sectionid=403


Websites:-

He had started many security related sites, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two are most popular

To discuss any aspect on web application security
http://sla.ckers.org


Memberships:-

ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.


Companies worked for:-

He has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He is now starting his new company SecTheory - doing boutique web application and network security consulting.


Email:-

h__at__ckers.org

We will see a lot more contribution from him as he is working on some very cool stuff and if you want to stay on top of webappsec cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n make http://ha.ckers.org/ as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first site you visit to. I wish him all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best in his new endeavor.


Last Week – Amit Klein
Next Week – Jeremiah Grossman

2 comments:

Anonymous said...

awesome stuff man. Will be following you.

Cheers

Rishabh
PROHACK|INDIA

Anonymous said...

Oh, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 days of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fringe. That was some genuine stuff at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, and genuine people. I miss it :/