About two weeks ago I was uploading something to skitch.com and saw an inline button. So being a security person myself, I decided to try some XSS on their fields. 1, 2, 3, 4 tries done, I was able to load some of my javascript from a remote host and the nice thing is that this was a public URL. So for fun I sent the URL to a few friends. What that script was really doing was taking their cookies, writing to a file on my server and sending them back to the main page of skitch. So basically what people told me was that the link didn’t work, they were sent to the main page. In the meantime I was finishing my PoC by editing my cookie with their cookies. After about 10 minutes I had changed their first name and last name. (more…)
Posts Tagged ‘audits’
About this blog
We like to blog about things we're passionate about. We love PHP, MySQL, CouchDB, Linux, Apache - web development standards. We also like writing about building web apps and working with web technology.
You can email us on freedom@echolibre.com
Follow us on Twitter
Eamon Leonard - @EamonLeonard
David Coallier - @DavidCoallier
Helgi Þormar Þorbjörnsson - @h
J.D Fitz.Gerald - @jdfitzgerald
Noah Slater - @nslater
Court Ewing - @courtewing
echolibre products
echolibre Sponsors
Latest Posts
- PHPTek 2010, FRAPI release party!
- Frapi API Tester
- Go the right way with WonderProxy
- Switzerland, Microsoft and the JumpInCamp!
- The Capsule CRM API and PHP
- Heard about the JumpInCamp?
- Guest Post: Ben Chapman’s week of code (Part II)
- Guest Post: Ben Chapman's week of code
- CouchDB, Custom Erlang Map Functions
- Event: Josh Holmes talks PHP, Ruby & Azure
- An open invitation to the Irish Web Industry
- HipHop for PHP, Facebook unveils it's magic
- What is Funconf?
- 2009: A Year of Startups, Conferences & Open Source
- Microsoft Web Developer Summit
- PHP Advent 2009: Developers Versus Designers
- Why JavaScript is the future
- Memcache and Python, getting started
- Speed-Speaking
- Catching up on ZendCon
- How to build an API in 5 minutes
- Our TechCrunch50 experience
- CouchDB, the project, the crowd
- Announcing CloudSplit
- We have moved!
- Conferences, conferences, conferences
- Work with us, we're awesome!
- jQuery JSON Autocomplete
- Recommended PHP Standards Group
- MySQL Meetup Dublin - 24th June 2009
Archives
Archives
Categories
Categories
- APC
(2)
- API (4)
- Azure (2)
- Cloud Computing (3)
- CloudSplit (3)
- community (5)
- couchdb (2)
- Customer Service (1)
- echolibre (35)
- Facebook (1)
- frapi (2)
- funconf (1)
- HipHopPHP (1)
- industry (28)
- innovation (12)
- Irish Internet Association (1)
- jquery (2)
- json (2)
- leadership (3)
- LLVM (1)
- memcache (1)
- Microsoft (3)
- Micrsoft (1)
- mysql (1)
- Open Source (15)
- OpenSoho (1)
- OSS Bar Camp (5)
- PEAR (6)
- performance (6)
- phc (1)
- PHP (19)
- PHP London (3)
- PJSF (1)
- python (2)
- recession (2)
- RoadsendPHP (1)
- security (5)
- startups (3)
- TechCrunch50 (1)
- twitter (2)
- Uncategorized (2)
- Web Development Working Group (1)
- web3.0 (3)
- Zend Framework (3)
Feeds
- RSS 2.0 - blog.echolibre.com/feed/
- Atom - blog.echolibre.com/atom/
echolibre limited is registered in Ireland, company number 451576. Directors: Eamon Leonard, J.D Fitz.Gerald. Registered Office: 64 Dame Street, Dublin 2, Ireland.