[Owasp-leaders] Does anyone have an email address for Benjamin Mosse?
Arshan Dabirsiaghi
arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 1 10:55:50 EDT 2009
He claims here that he has 2 proofs of concept for bypassing AntiSamy:
http://blog.engineeringforfun.com/hacking-related/bypassing-owasps-antis
amy.html
Yet when I try both the vectors on my public-please-hack-me test page,
they fail:
http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+con
cept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%28
1%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%
<http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+co
ncept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%2
81%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%25>
Comments are bizarrely turned off on his blog and I can't find his
email. I'm trying to temper my irritation in case he actually has
something, but the prospect of an OWASPer trying to "out" another
OWASPer with non-reproducible slander is very disappointing.
Arshan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090401/f9d0bf5c/attachment.html
More information about the OWASP-Leaders
mailing list