Author Archives: nb

Exploitation of Open URL AJAX Requests and DOM-based XSS using CORS

By | December 9, 2014

I noticed a couple somewhat interesting vulnerabilities earlier this year that require the use of cross-origin resource sharing to exploit. Consider the following JavaScript code and assume that the getQueryString function returns the value of the “someUrl” parameter in the query string by parsing the document.location object. In the vulnerable page, the web application asks… Read More »

Understanding Fragment Injection

By | June 18, 2014

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to… Read More »

Cordova InAppBrowser Remote Privilege Escalation

By | April 14, 2014

Earlier this year, I identified an interesting vulnerability (CVE-2014-0073) in one of Apache Cordova’s core plug-ins (InAppBrowser). Cordova, also sometimes referred to as PhoneGap, is a popular cross-platform mobile framework that allows developers to write mobile applications in JavaScript and HTML. The JavaScript and HTML code executes within the Cordova WebView and has access to… Read More »

Abusing WebView JavaScript Bridges

By | December 21, 2012

Android applications often use the WebView class to embed a browser component within an Activity in order to display online content.  For example, the following code will show the Google homepage within an Activity. WebView webView = new WebView (; webView.getSettings().setJavaScriptEnabled(true); webView.loadUrl(“”); An application can inject Java objects into a WebView via the addJavascriptInterface function. … Read More »

Content-Type Blues

By | February 29, 2012

Assuming an attacker can control the start of a CSV file served up by a web application, what damage could be done?  The example PHP code below serves up a basic CSV file, but allows the user to control the column names. Note that the Content-Type header is at least set properly. <?php header(‘Content-Type: text/csv’);… Read More »

Bypassing Flash’s local-with-filesystem Sandbox Redux

By | December 12, 2011

I suppose I should explain what Adobe refers to as a security control bypass (CVE-2011-2429).  There exists a number of different security sandboxes that the Flash Player uses to restrict SWFs. In this case, I was able to create a SWF that bypassed the restrictions imposed by a local-with-filesystem sandbox. “The local-with-filesystem sandbox–For security purposes,… Read More »

Don’t Believe Everything You Read

By | December 6, 2011

Searching for “how to prevent cross site scripting in .NET” in Google produces a number of interesting results. The first link points to a MSDN article titled How To: Prevent Cross-Site Scripting in ASP.NET, but this article includes the following code snippet, which “uses HtmlEncode to ensure the inserted text is safe”, but this code… Read More »

No Love for the Null Byte

By | September 22, 2011

Attackers have commonly used the null character to bypass file extension restrictions during the exploitation of local file inclusion vulnerabilities.  rain.forest.puppy outlined this type of attack against Perl-based CGI applications in Phrack issue 55 over ten years ago, but the problem has also affected web applications written in other higher-level languages such as Java, .NET, and… Read More »