The organisers of New Zealand hacking convention Kiwicon have created some PR the only way they know how, l33t h4x0ring. Using a XSS bug in NZ's largest newspaper the NZ Herald they created a fake URL that injected javascript to rewrite an article there. The URL got passed around and soon ended up with genuine media coverage in NZ Herald's biggest competitor Stuff. An earlier effort on the NZ Computerworld site was quickly fixed and got no media coverage.
posted by sycophant on Aug 28, 2007 - 14 comments

Klaatu barada...Jikto? First there was Nikto. Then along came Wikto. Last Saturday at Shmoocon Billy Hoffman introduced the world to Jitko, a client-side vulnerability scanner that exploits your browser & turns your PC into a platform for finding holes in computers across the Internet (or behind your firewall). Reactions were mixed. Does Jikto go too far?
posted by scalefree on Mar 28, 2007 - 11 comments

CSRF (Cross Site Request Forgery) is starting to become a real issue for many web forums. While the vulnerability has been around for a while, recently it has become more interesting. Luckily the policy against against self linking and some recent fixes should protect readers here.
posted by mock on Oct 22, 2006 - 69 comments

Cross Site Scripting (XSS) Filter Tests Are you in charge of a system that allows users to enter comments? Here's a huge list of techniques that may be used against you (or, "why you shouldn't use regex").
posted by null terminated on Dec 7, 2005 - 9 comments