AntiSamy 1.4.1 (finally) released!
You may be thinking, “what the hell happened to 1.4?” A few things. First, I had a baby. That was really hard. Then, we were trying to manage all the logistics of moving to a new project structure...
View ArticleJavaSnoop released at BlackHat 2010
I’m flying back from Blackhat today where I presented and officially released JavaSnoop, a tool that makes security testing thick Java clients really, really easy. We use some magically awesome...
View ArticleClik here to view.
My LaFarge #2 reversing challenge solution
I’m trying to expand my skillset to the point where I can understand one of Nico Waisman’s BlackHat talks, and that means I have work to do (and maybe a brain transplant too). I’ve always had decent...
View ArticleClik here to view.
Arshan’s Perfectly Objective Summary of Immunity’s Hack Cup 2010
Here’s my (possibly distorted) recollection of Immunity’s Hack Cup 2010, complete with terrible security puns. Thanks to my teammates on SensePost/#TeamZA for winning! And thanks to Nico Waisman...
View ArticleClik here to view.
EasyRMtoMP3 exploit for Vista SP2
In my likely impossible challenge to ever understand one of Nico Waisman’s talks, I found corelanc0d3r’s site. Wow. Awesome tutorials on everything from direct EIP overwrites to ROP. His first...
View ArticleJavaSnoop 1.0 FINAL released!
In the past few weeks I used JavaSnoop RC6 to assess a privileged applet application that had it’s own secure message protocol on top of mutually-authenticated HTTPS. Kind of a tough nut to crack,...
View ArticleAntiSamy 1.4.2 released
We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by...
View ArticleClik here to view.
pwnshell – a better jsp shell
What do you do when you have an arbitrary file upload to a web-accessible directory in J2EE? Obviously, you need a JSP shell! But there’s one problem: the available ones are kind of terrible. The...
View ArticleAntiSamy 1.4.4 released!
We’ve released another version of AntiSamy into Maven and on the main downloads page. In terms of the actual code changes, there are just a few things – it’s more of a directional change for our...
View ArticleContrast: Towards a Future of Self-Diagnosing Applications
I haven’t blogged or released much research in the last two years. If you care about that, which I doubt you do, then I’m sorry. I’ve been putting all of my energy into Contrast, a completely new way...
View Article
