Monthly Archives: January 2015

When HTML Encoding Helped XSS

Recently I was pentesting a web app that had an unauthenticated XSS vulnerability but there was some heavy filtering in place. Nonetheless I was able to achieve session fixation using a combination of a technique I previously explained and some fun filter workarounds – including using the application’s own defensive HTML encoding to create a working XSS payload! Continue reading →

Five Considerations for HTTP Public Key Pinning (HPKP)

3 Replies

Scott Helme recently published a how-to on HPKP (HTTP Public Key Pinning), which got me thinking about some of the finer details. I’ll assume you’re familiar with the basic idea and go straight into five points worthy of highlighting that arise from Scott’s article and the specification itself. Continue reading →

Explore Security

IT security tools, techniques and commentary

Monthly Archives: January 2015

When HTML Encoding Helped XSS

Five Considerations for HTTP Public Key Pinning (HPKP)