This is w.r.t. http://onetimeurls.databasement.net/index.php

As always, the developers think their code is bullet proof and actually it contains basic flaws. (No offence meant, I'm just being philosophical).

Here is the POC on how to break it.

Paste the following into the textarea on the above page,

<script>
url_randomizer.go("http://wasjournal.blogspot.com/2007/03/one-time-urls-first-implementation.html");
</script>

And it will break the protection.

As you would have correctly guessed, the...

I was searching for history of XSS and CSRF attacks. I was mostly interested in knowing when each of these was discovered. I found following posts which tried to point out an approximate year of discoveries of these two vulnerabilities.

http://seclists.org/webappsec/2005/q4/0125.html
http://www.webappsec.org/lists/websecurity/archive/2005-05/msg00003.html

According to the first link, ("If I remember correctly, the term "Cross-Site Scripting" (or CSS at
the time) did originate around 1996-ish...

I was searching for history of XSS and CSRF attacks. I was mostly interested in knowing when each of these was discovered. I found following posts which tried to point out an approximate year of discoveries of these two vulnerabilities.

http://seclists.org/webappsec/2005/q4/0125.html
http://www.webappsec.org/lists/websecurity/archive/2005-05/msg00003.html

According to the first link, ("If I remember correctly, the term "Cross-Site Scripting" (or CSS at
the time) did originate around 1996-ish...

As I was reading through some of my earlier posts, I came across this post. At the time when I wrote that one, I did not know what blogging was all about. Later when I started using it more and more, adding tools like sitemeter and adsense, I realized that being able to add scripts to your posts is fairly normal.

But then was the post mentioned above totally useless? I don't think so. At the time when I wrote that, if I remember correctly, both the admin panel and your blog used to be on the ...

As I was reading through some of my earlier posts, I came across this post. At the time when I wrote that one, I did not know what blogging was all about. Later when I started using it more and more, adding tools like sitemeter and adsense, I realized that being able to add scripts to your posts is fairly normal.

But then was the post mentioned above totally useless? I don't think so. At the time when I wrote that, if I remember correctly, both the admin panel and your blog used to be on the...

DIRB

I tried out this URL bruteforcer. The database it has looks impressive. It includes entries categorised in different text files. Although the test extension file looks unnecessary. It has all combinations of 3 alphabets e.g. aaa,aab,...aba...zzz. appended to "test.".

Home page

Description as on sourceforge:
"DIRB - URL Bruteforcer: DIRB is a Web Content Scanner. It looks for hidden Web Objects. It basically works by launching a dictionary based attack against a web server and analizing th...

DIRB

I tried out this URL bruteforcer. The database it has looks impressive. It includes entries categorised in different text files. Although the test extension file looks unnecessary. It has all combinations of 3 alphabets e.g. aaa,aab,...aba...zzz. appended to "test.".

Home page

Description as on sourceforge:
"DIRB - URL Bruteforcer: DIRB is a Web Content Scanner. It looks for hidden Web Objects. It basically works by launching a dictionary based attack against a web server and analizing ...

PAROS

Paros is a well known tool used for testing web application related issues. It includes a spider that walks your application. There is a set of tests you can run which cover commonly found vulnerabilities - XSS, SQL injection.

If you want to attack an application manually, you have a trap option which lets you modify the request that is sent out.

I'm not sure if the spider is intelligent enough to understand javascript links. But you can use other spidering tools from your browser and the...

PAROS

Paros is a well known tool used for testing web application related issues. It includes a spider that walks your application. There is a set of tests you can run which cover commonly found vulnerabilities - XSS, SQL injection.

If you want to attack an application manually, you have a trap option which lets you modify the request that is sent out.

I'm not sure if the spider is intelligent enough to understand javascript links. But you can use other spidering tools from your browser and ...

Following are the features listed on the tool's home page.

• Finds the most common XSS vulnerabilites
• Extracts forms and input elements...