[Owasp-leaders] Does anyone have an email address for Benjamin Mosse?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 1 10:55:50 EDT 2009


He claims here that he has 2 proofs of concept for bypassing AntiSamy:

 

http://blog.engineeringforfun.com/hacking-related/bypassing-owasps-antis
amy.html

 

Yet when I try both the vectors on my public-please-hack-me test page,
they fail:

 

http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+con
cept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%28
1%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%
<http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+co
ncept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%2
81%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%25> 

 

Comments are bizarrely turned off on his blog and I can't find his
email. I'm trying to temper my irritation in case he actually has
something, but the prospect of an OWASPer trying to "out" another
OWASPer with non-reproducible slander is very disappointing.

 

Arshan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090401/f9d0bf5c/attachment.html 


More information about the OWASP-Leaders mailing list