Posts

Showing posts from February, 2013

XSS in Ajax

The following functions needs to be inspected for XSS as they might be 'possible' pointers to XSS. They could be a pointer to possible xss attacks: eval() document.write() innerHTML() write()
Safe function: Instead of using innerHTML, one should use innerText() XSS payload in Jason and their effects: A nice example from iSec Partners: var inboundJSON = {"people": [
{"name": "Joel", "address": “<script>badStuff();</script>", "phone": “911"}
]
};
someObject.innerHTML(inboundJSON.people[0].address);               // Vulnerable
document.write(inboundJSON.people[0].address);                             // Vulnerable
someObject.innerText(inboundJSON.people[0].address                     // Not Vulnerable

Android Application Assessment

A nice article on a detailed assessment strategy of Android applications. Well explained and comprehensively written.
Article describes different stages in android assessment, tools, methodologies and native tools with screenshots.
You can find the article here: Android Application Assessment


Also have a look at Web application Security Course offered by InfosecInstitute.