The First Post
This is the first post of hopefully many. This blog will share recent events within the security community and Mozilla in general. My posts will be short digests, bundling old and new gossip in a...
View ArticleWeek 29 2013
In our Security Disaster of the Week, H. Marco and Ismael Ripoll found out that all applications statically linked and compiled via glibc since 2006 have their pointers protected by being XORed with...
View ArticleSecurity Review: HTML sanitizer in Thunderbird
I spent a few days working on a security review for Thunderbird's HTML sanitizer. Thunderbird has three presets for viewing mail: Original HTML, Simple HTML, and Plain Text. No matter which preset the...
View Articlehtml2dom
I originally blogged about html2dom on the Mozilla Security Blog Having spent significant time to review the source code of some Firefox OS core apps, I noticed that a lot of developers like to use...
View ArticleOn the X-Frame-Options Security Header
This blog post about X-Frame-Options was originally published on the Mozilla Security Blog A few weeks ago, Mario Heiderich and I published a white paper about the X-Frame-Options security header. In...
View ArticleTales of Python's Encoding
This article was also published in the third issue of the International Journal of PoC || GTFO. This is my submission after editorial "grooming" and "[dressing] in the best Sunday clothes of proper...
View ArticleClik here to view.
(Self) XSS at Mozilla's internal Phonebook
This is a short summary about a goofy XSS/CSRF exploit on an internal web page at Mozilla. A few weeks ago I discovered that our "phonebook" supports a limited wiki-syntax in the profile descriptions...
View ArticleClik here to view.
Revoke App Permissions on Firefox OS
On Firefox OS (FxOS), every app has its own set of permissions. The operating system makes sure that an app may only do things that are requested in the app manifest. Some of these permissions are...
View ArticleSubresource Integrity
This article has been superseded by a more-recent write-up of my presentation from OWASP AppSec EU 2015. Alternatively, you can download the slides or watch the video on YouTube Some time ago, I...
View ArticleMy thoughts on Tor appliances
Anonabox is not a magic bullet! Yesterday, a lot of mainstream media (e.g., WIRED) started reporting about anonabox, an "an open source embedded networking device designed specifically to run Tor.", to...
View ArticleClik here to view.
German Firefox 1.0 ad (OCR)
Deutsch Damals, als Firefox 1.0 herauskam, unterstützten hunderttausende Freiwillige das Spread Firefox-Projekt um eine Werbeanzeige in der New York Times zu kaufen. In deutschland passierte dasselbe,...
View ArticleClik here to view.
The Twitter Gazebo
Earlier this week, Twitter rolled out a new account dashboard. This new feature allows users to manage app access to their account and gain insights into previous logins and their metadata (IP address,...
View ArticleA CDN that can not XSS you: Using Subresource Integrity
This blog post is the text-version of my presentation from OWASP AppSec EU 2015. You can download the slides or watch the video on YouTube Introduction In this blog post, I explain Subresource...
View ArticleClik here to view.
Teacher's Pinboard Write-up
I found the address of the teacher's pinboard! Can you try to get in and read all teachers' notes? Maybe you need to attack the admin account as well. The fluxfingers (again) hosted the Capture The...
View ArticleFirefox OS apps and beyond
I have written two Firefox OS apps, which are both not very popular. You may stop reading here if you haven't used either squeezefox or wallabag-fxos. This article is about how I think they should...
View ArticleNew CSP directive to make Subresource Integrity mandatory (`require-sri-for`)
Background GitHub is one of the first big webistes using Subresource Integrity and can thus defend against potentially bad Content Delivery Networks (CDNs). The tricky thing with SRI is that you have...
View ArticleFinding the SqueezeBox Radio Default SSH Passwort
Note: This post was originally hosted somewhere else. Republishing here for better visibility. Also, the slimdevices wiki has a section on SSH authentication that mentions the default password. I must...
View ArticleChallenge Write-up: Subresource Integrity in Service Workers
For those who have not participated in my challenge, this document is about implementing security features in ServiceWorkers. A ServiceWorker (SW) is a type of Web Worker that can intercept and modify...
View ArticleChrome switching the XSSAuditor to filter mode re-enables old attack
Update: In July 2019, Chrome developers announced that they are going to remove XSSAuditor. You can follow their bug tracker here. Recently, Google Chrome changed the default mode for their Cross-Site...
View ArticleClik here to view.
XSS in The Digital #ClimateStrike Widget
Life keeps me busy, which is why this blog is seeing less and less publications. It's also the reason why I couldn't join the Global Climate Strike on September 20th. Friends have pointed me towards...
View Article
