Hacker News: adamdoupe

New comment by adamdoupe in "Ask HN: What do I need to learn to be useful as a hacker to defend my country?"

adamdoupe — Fri, 25 Feb 2022 23:34:22 +0000

If you want to learn offensive security skills, particularly binary analysis, I highly recommend https://pwn.college

It's a hands-on class that takes you through interacting with programs, to reverse engineering and memory corruption, all the way to race conditions and kernel exploitation.

Created by @Zardus and run also as a class at ASU.

New comment by adamdoupe in "CERN day 1: rebuilding the first web browser"

adamdoupe — Tue, 12 Feb 2019 18:17:28 +0000

I posted this on the blog but thought I post here too.

Last year I set up a WorldWideWeb.app (version 0.15) running in the Previous emulator on Ubuntu for a CTF challenge for DEF CON 2018 Quals (they had to exploit a buffer overflow in HTTP.c). There's a lot of other cruft around to set up and automate the challenge and getting input to WWW, but there's Vagrant and ansible scripts to set up and run everything.

There's a lot of work to set up networking in NextStep and getting all the pieces right (I think I even set up an SSH server running on NextStep).

The source is all here: https://github.com/o-o-overflow/chall-www

I'd be happy to help, I love this idea of software archeology/preservation.

New comment by adamdoupe in "Go Language – Web Application Secure Coding Practices"

adamdoupe — Fri, 23 Jun 2017 21:49:29 +0000

Context here means the context of the output page.

Usually this means the HTML context. Different sanitization is needed depending on _where_ in the HTML document the input is used.

For instance, if the input is used in between HTML tags (let's say $foo is user input in this PHP example):

...

Here, the input that you need to transition to JavaScript execution is a < character (among other things): .

Therefore, to correctly sanitize this, you would call the PHP `htmlentities` function:

...

Now, this XSS vulnerability is fixed.

What if foo is used in a different context?

    ... ...

Here, what we need to transition the HTML parser to executing JavaScript is a ' character, and this can be exploited by the following input (in between the double quotes): "' onclick='alert(1)"

The key problem is that `htmlentities` is not valid sanitization in the context of an HTML attribute value. In this example, you need to use `urlencode`

    ... ...

The general idea also applies to CSS, JSON, and JavaScript. SQL is a different vulnerability class (SQL injection).

I highly recommend the following research paper from 2011 that discusses the context-sensitivity of JavaScript in depth: http://www.comp.nus.edu.sg/~prateeks/papers/scriptgard-ccs11...

In my mind, the context-sensitivity of XSS is one of the key reasons why it is so prevalent.

New comment by adamdoupe in "Why I care about Firefox OS fading away"

adamdoupe — Wed, 27 Jan 2016 14:25:25 +0000

In our study we didn't differentiate (from a security perspective, if you are vulnerable because you use a WebView when showing ads, then you are still vulnerable), so I don't have data for that.

It would be interesting data, although determining WebView for ads statically might be tricky.

New comment by adamdoupe in "Why I care about Firefox OS fading away"

adamdoupe — Wed, 27 Jan 2016 04:46:28 +0000

Sure! The short version is that I don't know.

We were looking for instances of insecure WebView usage, so from a security perspective small piece vs. entire app doesn't matter too much (and is difficult to measure, especially when looking at 1.1M apps).

However, some of the other numbers from our analysis can be useful to draw a picture of WebView usage.

We statically looked for uses of WebView, and 85% of the 1.1M apps used a WebView.

Of those 998,286 apps:

- 97% enable JavaScript (which is off by default)

- 36% use the JavaScript Bridge Interface (which is a fairly good indicator of heavy WebView usage)

- 94% implement a shouldOverrideUrlLoading method of the WebView (another good indicator that the developer is using the WebView for something non-trivial)

- 27% implement an onReceivedSslError method of the WebView (indication that the developer is using the WebView for something non-trivial). (Sadly, 29% of the apps that implement onReceivedSslError intentionally IGNORE all SSL errors.)

So I guess the takeaway is that 85% is an upper bound, the real number of WebView-only apps is absolutely lower, however it's clear that WebViews are significantly used in mobile apps.

New comment by adamdoupe in "Why I care about Firefox OS fading away"

adamdoupe — Wed, 27 Jan 2016 00:59:09 +0000

We've studied this and found that ~85% of the free apps on the Google Play store use a WebView (I like the term "mobile web app"): http://adamdoupe.com/publications/large-scale-study-of-mobil...

New comment by adamdoupe in "A Career in Science Will Cost You Your Firstborn"

adamdoupe — Fri, 09 Jan 2015 17:58:23 +0000

Most professor salaries are on 9-month appointments, for the academic year. The three summer months usually come from grants, teaching summer sessions, or consulting.

However, a professor can choose to spend the grant money on student support rather than summer salary (thus forgoing their own salary), which is what I assume the author is referring to.

New comment by adamdoupe in "CSRF in Doorkeeper OAuth2 gem"

adamdoupe — Wed, 17 Dec 2014 15:53:52 +0000

No. Check out the example in the article, an attacker can make your browser submit a form with a POST request using JavaScript.

It's slightly harder to exploit, as the attacker can't just send you a link to facebook.com, but they can send you a link to example.com which has the form and uses JavaScript to submit the form.

New comment by adamdoupe in "Path uploads your entire iPhone address book to its servers"

adamdoupe — Tue, 07 Feb 2012 21:45:12 +0000

As I remember, the analysis doesn't handle calls that can't be determined statically.

So the analysis would fail to determine the method and class of a obfuscated string.

New comment by adamdoupe in "Path uploads your entire iPhone address book to its servers"

adamdoupe — Tue, 07 Feb 2012 21:10:03 +0000

A postdoc in my lab published an academic paper that did exactly this: automated static analysis of iOS compiled binaries for privacy violations.

As far as I know Apple was not interested.

Here's the paper if you want to take a look: http://seclab.cs.ucsb.edu/media/uploads/papers/egele-ndss11....

New comment by adamdoupe in "MIT develops new tool that can interrupt infinite loops"

adamdoupe — Wed, 03 Aug 2011 01:46:45 +0000

Link to the full paper for those interested: http://people.csail.mit.edu/rinard/paper/ecoop11.pdf

New comment by adamdoupe in "LSD: The Geek's Wonder Drug"

adamdoupe — Fri, 29 Apr 2011 22:30:18 +0000

I've found that it's not the actual code review that's helpful, but preparing for a code review. It forces you to describe the code clearly, which often makes the code clearer in the process. Plus you try to anticipate the comments your co-workers will give.

New comment by adamdoupe in "Botnet uses Twitter for Drive-by-Download Attacks"

adamdoupe — Fri, 01 May 2009 00:12:36 +0000

Hey guys, this is some research that some guys in my lab have been doing.

Pretty cool stuff, they "took over" the Torpig botnet. Lots of interesting stuff, the paper on the link gives a good overview of some of the things they discovered.

Love to hear your thoughts!

Botnet uses Twitter for Drive-by-Download Attacks

adamdoupe — Fri, 01 May 2009 00:09:03 +0000

Article URL: http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html#updates

Comments URL: https://news.ycombinator.com/item?id=587801

Points: 1

# Comments: 1

New comment by adamdoupe in "Ask HN: How much do you exercise a day/week?"

adamdoupe — Mon, 20 Apr 2009 04:18:38 +0000

> if you're looking for motivation, i highly suggest finding some sport that you enjoy doing. go looking for it, i'm sure one exists.

This is exactly what I've done. Rock climbing at a local gym 3 times a week. I also run 3.5 miles 2 times a week but only for the added fitness.

I really enjoy rock climbing; it's an excellent combination of physical fitness and problem solving.

New comment by adamdoupe in "6 Months of free DropBox Pro"

adamdoupe — Tue, 07 Apr 2009 00:39:48 +0000

This is the way I use dropbox. I even created a script to install all of my packages and create the proper symlinks. Makes setting up a new computer (frequent occurrence with VM's) super simple.

Dropbox rocks!

New comment by adamdoupe in "Ask HN: Review my startup"

adamdoupe — Tue, 25 Nov 2008 20:12:10 +0000

The featured five on the homepage moves way too fast. It switched when I was still reading.

Beyond that, interesting site. Good luck!

New comment by adamdoupe in "Ask HN: Review my startup"

adamdoupe — Mon, 24 Nov 2008 23:49:04 +0000

On Firefox 1.5 on Linux (It's what they make us use at school), the "points or pay" text extends beyond the tab.

http://tinypic.com/view.php?pic=20k3o0z&s=4

But beyond that, I agree with the comments so far, excellent design and I wish you the best of luck.

Microsoft To Counter Open Source With 'Basic' Software Line

adamdoupe — Wed, 06 Aug 2008 20:24:57 +0000

Article URL: http://www.informationweek.com/news/software/enterpriseapps/showArticle.jhtml?articleID=209903394&subSection=News

Comments URL: https://news.ycombinator.com/item?id=268920

Points: 5

# Comments: 3

New comment by adamdoupe in "New Recommendation System = 40 Percent More Diggs"

adamdoupe — Thu, 31 Jul 2008 22:22:39 +0000

Can anybody who still uses Digg comment on if this makes Digg worthwhile again (or at least not a waste of time)?