Mad Irish . net http://www.madirish.net en iThoughts Multiple Vulnerabilities http://www.madirish.net/559 iThoughts iOS application for iPhone and iPad contains numerious vulnerabilities. Writing Buffer Overflows http://www.madirish.net/142 It has been a long time since a relevant buffer overflow tutorial was written. While the classics still serve as wonderful guides I thought it might be time to put together an up to date tutorial that incorporated many of the techniques of other tutorials along with a few things I've learned on my own. Dear Security Team: You Suck! http://www.madirish.net/558 Computer security isn't voodoo, it's part of computer science. The cornerstone of the scientific process is a repeatable experiment with verifiable results. Security should adopt this approach. First, measure the environment and establish goals. Next test for cases where you can address issues to meet goals. Develop a process for systematically addressing a priority and a separate way to measure progress. Establish a periodic review so that you can evaluate your success (or lack thereof). If you can do this then you're well on your way to establishing a mature, respected security organization that can demonstrably add value to any organization. Drupal 6/7 Password Policy Module XSS Vulnerability http://www.madirish.net/557 The Password Policy module suffers from a persistent (stored) cross site scripting (XSS or arbitrary script injection) vulnerability because it fails to sanitize expiration warning messages before display. Using HTML 5 to Defeat XSS http://www.madirish.net/556 Although it is often derided in the security community as unsafe and as the harbinger of new security vulnerabilities in web applications, HTML 5 includes a number of notable security enhancements. Using native HTML 5 features we can actually eliminate most cross site scripting (XSS) attacks at the client side. Doing this merely requires clean application architecture to segregate dynamic display code, properly defined trusted origin domains, and use of the HTML content security policy. These features even include reporting capabilities that can be used to detect XSS attacks in the client browsers and report them back to the server. Drupal Core XSS Vulnerabilities http://www.madirish.net/555 Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal core suffers from multiple persistent (stored) cross site scripting (XSS, or arbitrary script injection) because the core System module fails to sanitize module names and descriptions provided in module metadata files (identified by their .info extension) before display in some locations.