Friday, 30 May 2014

Game to learn how to find XSS Bugs (by Google)

As you can see on and read on Google Launches Game to Teach XSS Bug Discovery Skills , this could be a really interesting way to reach developers.

I will try to give it a test drive and see how easy/hard it is.

I wonder if this could also be used to teach kids about application security (and how fun it can be to break it :)  )

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:

XSS PoC on Lync 2010 (using C# WebClient, WebBrowser and WatiN)

Today I needed write an O2 C# script that was able to put an XSS payload on the UserAgent Header.

This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).

This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:

Here are the PoCs I wrote (also on this gist (embedded below))

Thursday, 8 May 2014

Watching google crawl TeamMentor site (10m after blog post)

This is really interesting and telling of Google's crawling speed and updates.

I posted What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor") 10 minutes ago, and while looking at the new 'TM 3.4.1 real-time TeamMentor Activity' viewer, I noticed a number of 404s:

What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor")

(Earlier today I was asked "What are the most compelling use cases for TeamMentor" and here is my answer:)

There are a couple pages in SI's website that cover some of the common use cases : see here  and here

I think the main use-case is in 'answering Developers/Testers questions'

I like to think of the workflow as in "Don't copy and paste from Google, copy and paste from TeamMentor"

For example take a look at the .NET 4.0 library (direct link here) , if you filter by 'Code Example'

Friday, 2 May 2014

Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

(originally posted to the OWASP leaders list)
---------- ---------- ---------- ---------- ---------- ---------- ---------- 

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job) I'm inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on ) or look at the source code (clone from and run locally or in Azure (only needs .NET 4.0, no DB install required) 

There is quite a lot of OWASP influence in this release of TeamMentor, from the O2 Platform FluentSharp libraries (which make me a lot more productive as a developer), to the AppSensor-like features (see below) and the multiple OWASP-inspired coding strategies used to keep the app secure (look for example at the ASMX and WCF security tests or the .NET Security Demands).

What is really cool and I'm very excited about, is the first pass at adding AppSensor capabilities to this app. 

Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

TeamMentor (TM) is the project I have been the main developer for the past couple of years, and as we approach another release (v3.4.1), I would like to invite you all to have a go and hack it (i.e. find security vulnerabilities, report them to us, learn a bit and maybe even get paid or get a job offer :)

TeamMentor is a web-based Security KB with tons of prescriptive security guidance, how-tos and guidelines. It is built on C# .NET 4.0,  jQuery with a bit of AngularJS;  and you can see in action at (you can create an eval account and have access to the entire content for 15 days)