For Search Engines
http://www.secproject.com/
http://www.twitter.com/irsdl
http://soroush.secproject.com/
http://dalili.secproject.com/
http://irsdl.secproject.com/
http://soroush.me/
http://dalili.soroush.me/
http://sdl.me/
http://irsdl1.wordpress.com/
http://0me.me/
Web Security Links: (Source: http://www.owasp.org/index.php/Feed)
ACE Team – Microsoft
Adam Boulton’s Blog
Adam Shostack – Emergent Chaos
Alex ??? – kuza55
Analytical Engine
Andrew Jacquith – securitymetrics
Andrew van der Stock – cat slave diary
Andy Steingruebl – Security Retentive
Anil John
Anton Chuvakin Blog – "Security Warrior"
Anurag Agarwal – Application Security Evangelist
Application Security Center Community
Arshan Dabirsiaghi – Aspect Security
Billy (BK) Rios
Billy Hoffman – SPI – Curiouser and Curiouser
Bruce Schneier – Cryptogram
CERIAS Combined Feed
Chris Shiflett: PHP and Web Application Security
Chris Weber – Software and Web Application Security
Christian Matthies
Christopher Hoff – Rational Security
Cigital – Justice League
Coding Insecurity
CSO Blogs – Information Security
cyphersec.com
Dafydd Stuttard – PortSwigger – Burp
Dana Epp – SilverStr – Microsoft
Dana Epp’s ramblings at the Sanctuary
Dark Reading: Application Security
Dark Reading: Snake Bytes
David LeBlanc’s Web Log
David Litchfield’s blog
David Ross – Microsoft – Random Dross
Denim Group, Ltd.
Dennis Hurst’s Blog
Dr.Dobb’s Security Articles
Ed Felton – Freedom to Tinker
Eduardo Vela – sirdarckcat
Enterprise Architecture: From Incite comes Insight…
Errata Security
extern blog SensePost;
Fortify
funkatron.com
Gareth Heyes – The Spanner
GCN.com IT Security News
GDS Security Blog
GEEKONOMICS
Google Online Security Blog
Gunnar Peterson – 1 Raindrop
Gunter Ollmann, Mark Dowd – ISS Frequency X Blog
hackademix.net
hackers @ microsoft
Help Net Security – News
InformIT :: SecurityArticles > Security
(IN)SECURE Magazine Notifications RSS
ISM – Curphey – Latest News
Ivan Ristic
Ivan Ristic – ModSecurity
J.D. Meier’s Blog
Jeremiah Grossman – WhiteHat
Joe Basirico – Security Renegades’s blog
JW on Test
KeepItLocked.net
Kim Cameron’s Identity Weblog
Klocwork – g2zero
Larry Osterman’s WebLog
Lookout.net
Manicode
Marco Morana
Mark Curphey – SecurityBuddha.com
Mary Ann Davidson Blog
Matasano Chargen
Matt Blaze’s Exhaustive Search
Michael Coates
Michael Coates
Michael Howard
Michael Smith – rybolov – The Guerilla CISO
Michael Sutton – SPI Dynamics
Michael's Blog
Mike Andrews
Mike Rothman – Security Incite Rants
MSI :: State of Security
Musings on Information Security
Nate McFeters – Zero Day
Network Computing Magazine | Security Channel: Features, Reviews, Commentary and more
Nitesh Dhanjani
onelittlewindow
Orizon Post
Petko Petkov (pdparchitect) – GnuCitizen
PLANET WEBSECURITY
Richard Bejtlich – TaoSecurity
Richard Lewis – Application Security
RiskAnalysis
Robert Auger – CGISecurity.com
Robert Hansen – rsnake – ha.ckers.org
RockyH – From Source to Secure
RockyH – Security First!
Rohyt Belani – PhishMe
Ronald van den Heetkamp – 0×000000 Security
Ruby on Rails Security Project
Rudolph Arojo – Foundstone – codesecurely.org
Ryan Barnett – ModSecurity – Web Security Blog
sc-l mailing list
Security Is Simple: Only Use Perfect Software
Security Wire Daily News
SecurityFocus News
SecurityGuidanceShare – Recent changes [en]
securosis.com
SecViz – Security Visualization
Shreeraj’s security blog
Smart Security by Dharmesh M Mehta
Stefan Esser – PHP Security Blog
Stefan Esser – Suspekt…
Stefano di Paolo – Minded Security – Security Thoughts
Sunnet Beskerming Security Advisories
Sven Vetsch – Disenchant’s Blog
Sylvan von Stuppe
Technicalinfo.net Security
The Art of Software Security Assessment
The Connected Information Security Group
The Register – Security
The Register – Security: Enterprise Security
The Security Development Lifecycle – Microsoft
The Web Security Mailing List (WASC)
tssci security
Veracode – Zero in a bit
Web Hacking Techniques 2012
...
Web Hacking Techniques 2011
1. Bypassing Flash’s local-with-filesystem Sandbox
2. Abusing HTTP Status Codes to Expose Private Information
3. SpyTunes: Find out what iTunes music someone else has
4. CSRF: Flash + 307 redirect = Game Over
5. Close encounters of the third kind (client-side JavaScript vulnerabilities)
6. Tracking users that block cookies with a HTTP redirect
7. The Failure of Noise-Based Non-Continuous Audio Captchas
8. Kindle Touch (5.0) Jailbreak/Root and SSH
9. NULLs in entities in Firefox
10. Timing Attacks on CSS Shaders
11. CSRF with JSON – leveraging XHR and CORS
12. Double eval() for DOM based XSS
13. Hidden XSS Attacking the Desktop & Mobile Platforms
14. Rapid history extraction through non-destructive cache timing (v8)
15. Lotus Notes Formula Injection
16. Stripping Referrer for fun and profit
17. How to upload arbitrary file contents cross-domain (2)
18. Exploiting the unexploitable XSS with clickjacking
19. How to get SQL query contents from SQL injection flaw
20. XSS-Track as a HTML5 WebSockets traffic sniffer
21. Cross domain content extraction with fake captcha
23. JSON-based XSS exploitation
24. DNS poisoning via Port Exhaustion
25. Java Applet Same-Origin Policy Bypass via HTTP Redirect
26. HOW TO: Spy on the Webcams of Your Website Visitors
27. Launch any file path from web page
28. Crowd-sourcing mischief on Google Maps leads customers astray
29. BEAST
30. Bypassing Chrome’s Anti-XSS filter
32. Cookiejacking
33. Stealth Cookie Stealing (new XSS technique)
35. Using Cross-domain images in WebGL and Chrome 13
36. Filejacking: How to make a file server from your browser (with HTML5 of course)
37. Exploitation of “Self-Only” Cross-Site Scripting in Google Code
38. Expression Language Injection
39. (DOMinator) Finding DOMXSS with dynamic taint propagation
40. Facebook: Memorializing a User
41. How To Own Every User On A Social Networking Site
42. Text-based CAPTCHA Strengths and Weaknesses
43. Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
44. Temporal Session Race Conditions Video 2
45. Google Chrome/ChromeOS sandbox side step via owning extensions
46. Excel formula injection in Google Docs
47. Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
48. CAPTCHA Hax With TesserCap
49. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
50. Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]
Web Hacking Techniques 2010
Web Hacking Techniques 2009
Web Hacking Techniques 2008
Web Hacking Techniques 2007
Cross-Site Printing (Printer Spamming)
Stealing Pictures with Picasa
HScan Redux
ISO-8895-1 Vulnerable in Firefox to Null Injection
MITM attack to overwrite addons in Firefox
Microsoft ASP.NET Request Validation Bypass Vulnerability (POC)
Non-Alpha-Non-Digit 3
Steal History without JavaScript
Pure Java™, Pure Evil™ Popups
Google Adsense CSRF hole
There’s an OAK TREE in my blog!?!?!
BK for Mayor of Oak Tree View
Google Docs puts Google Users at Risk
All Your Google Docs are Belong To US…
Java Applets and DNS Rebinding
Scanning internal Lan with PHP remote file opening.
Firefox File Handling Woes
Firefoxurl URI Handler Flaw
Bugs in the Browser: Firefox’s DATA URL Scheme Vulnerability
Multiviews Apache, Accept Requests and free listing
Optimizing the number of requests in blind SQL injection
Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)
Port Scan without JavaScript
Favorites Gone Wild
Cross-Browser Proxy Unmasking
Spoofing Firefox protected objects
Injecting the script tag into XML
Login Detection without JavaScript
Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration
Username Enumeration Timing Attacks (Sensepost)
Google GMail E-mail Hijack Technique
Recursive Request DoS
Exaggerating Timing Attack Results Via GET Flooding
Initiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust Zones
Paper on Hacking Intranets Using Websites (Not Web Browsers)
More Port Scanning - This Time in Flash
HTTP Response Splitting and Data: URI scheme in Firefox
Res:// Protocol Local File Enumeration
Res Timing Attack
IE6.0 Protocol Guessing
IE 7 and Firefox Browsers Digest Authentication Request Splitting
Hacking Intranets Via Brute Force
Hiding JS in Valid Images
Internet Archiver Port Scanner
Noisy Decloaking Methods
Code Execution Through Filenames in Uploads
Cross Domain Basic Auth Phishing Tactics
Additional Image Bypass on Windows
Detecting users via Authenticated Redirects
Passing Malicious PHP Through getimagesize()
Turn Any Page Into A Greasemonkey Popup
Enumerate Windows Users In JS
Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Iframe HTTP Ping
Read Firefox Settings (PoC)
Stealing Mouse Clicks for Banner Fraud
(Non-Persistent) Untraceable XSS Attacks
Inter Protocol Exploitation
Detecting Default Browser in IE
Bypass port blocking in Firefox, Opera and Konqueror.
LocalRodeo Detection
Image Names Gone Bad
IE Sends Local Addresses in Referer Header
PDF XSS Can Compromise Your Machine
Universal XSS in Adobe’s Acrobat Reader Plugin
Firefox Popup Blocker Allows Reading Arbitrary Local Files
IE7.0 Detector
overwriting cookies on other people’s domains in Firefox.
Embeding SVG That Contains XSS Using Base64 Encoding in Firefox
Firefox Header Redirection JavaScript Execution
More URI Stuff… (IE’s Resouce URI)
Hacking without 0days: Drive-by Java
Google Urchin password theft madness
Username Enumeration Vulnerabilities
Client-side SQL Injection Attacks
Content-Disposition Hacking
Flash Cookie Object Tracking
Java JAR Attacks and Features
Severe XSS in Google and Others due to the JAR protocol issues
Web Mayhem: Firefox’s JAR: Protocol issues (bugzilla)
0DAY: QuickTime pwns Firefox
Exploiting Second Life
Web Hacking Techniques 2006
The Attack of the TINY URLs
Backdooring MP3 Files
Backdooring QuickTime Movies
CSS history hacking with evil marketing
I know where you've been
Stealing Search Engine Queries with JavaScript
Hacking RSS Feeds
MX Injection : Capturing and Exploiting Hidden Mail Servers
Blind web server fingerprinting
JavaScript Port Scanning
CSRF with MS Word
Backdooring PDF Files
Exponential XSS Attacks
Malformed URL in Image Tag Fingerprints Internet Explorer
JavaScript Portscanning and bypassing HTTP Auth
Bruteforcing HTTP Auth in Firefox with JavaScript
Bypassing Mozilla Port Blocking
How to defeat digg.com
A story that diggs itself
Expect Header Injection Via Flash
Forging HTTP request headers with Flash
Cross Domain Leakage With Image Size
Enumerating Through User Accounts
Widespread XSS for Google Search Appliance
Detecting States of Authentication With Protected Images
XSS Fragmentation Attacks
Poking new holes with Flash Crossdomain Policy Files
Google Indexes XSS
XML Intranet Port Scanning
IMAP Vulnerable to XSS
Detecting Privoxy Users and Circumventing It
Using CSS to De-Anonymize
Response Splitting Filter Evasion
CSS History Stealing Acts As Cookie
Detecting FireFox Extentions
Stealing User Information Via Automatic Form Filling
Circumventing DNS Pinning for XSS
Netflix.com XSRF vuln
Browser Port Scanning without JavaScript
Widespread XSS for Google Search Appliance
Bypassing Filters With Encoding
Variable Width Encoding
Network Scanning with HTTP without JavaScript
AT&T Hack Highlights Web Site Vulnerabilities
How to get linked from Slashdot
F5 and Acunetix XSS disclosure
Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
Google plugs phishing hole
Nikon magazine hit with security breach
Governator Hack
Metaverse breached: Second Life customer database hacked
HostGator: cPanel Security Hole Exploited in Mass Hack
I know what you've got (Firefox Extensions)
ABC News (AU) XSS linking the reporter to Al Qaeda
Account Hijackings Force LiveJournal Changes
Xanga Hit By Script Worm
Advanced Web Attack Techniques using GMail
PayPal Security Flaw allows Identity Theft
Internet Explorer 7 "mhtml:" Redirection Information Disclosure
Bypassing of web filters by using ASCII
Selecting Encoding Methods For XSS Filter Evasion
Adultspace XSS Worm
Anonymizing RFI Attacks Through Google
Google Hacks On Your Behalf
Google Dorks Strike Again
From http://jeremiahgrossman.blogspot.com/