Security/Meetings/Automation/2015-02-24: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with " = Agenda = * status updates * csp `unsafe-eval` * anyone tried https://github.com/toolness/security-adventure ? == Status Updates == * mgoodwin ** superfish: hotfix to rem...")
 
No edit summary
 
Line 15: Line 15:
*** http://www.hgi.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
*** http://www.hgi.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
** html sanitization with js template strings / quasi literals
** html sanitization with js template strings / quasi literals
<pre>
var firstName = prompt();
var firstName = prompt();
escapingFunction `<a href=# title="${title}"> click me ${linktext} </a>`
escapingFunction `<a href=# title="${title}"> click me ${linktext} </a>`
Line 23: Line 24:
     string = <a href=# title="1"> click me 2 </a>`
     string = <a href=# title="1"> click me 2 </a>`
}
}
</pre>
** reader-mode in nightly (spare-time project :))
** reader-mode in nightly (spare-time project :))


Latest revision as of 16:31, 3 March 2015

Agenda

Status Updates

  • mgoodwin
    • superfish: hotfix to remove the root cert from firefox
    • flag a root ca in the local store to change the EV icon displayed
var firstName = prompt();
escapingFunction `<a href=# title="${title}"> click me ${linktext} </a>`

// title = "onerror=....
// linktext = <script>....</script>
function escapingFunction(string, variables) {
    string = <a href=# title="1"> click me 2 </a>`
}
    • reader-mode in nightly (spare-time project :))
  • psiinon
    • ZAP tweaks
    • simon got accepted into owasp appsec eu :-P
  • jeff
    • Working on tweaks to make mongo look like crossfilter for moar realtime updates to things like pie charts, histograms.
    • Got a start at enabling oculus rift in the attacker screen
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Meetings/Automation/2015-02-24&oldid=1059428"