Hey everybody! Slow news week this week so we sent Jeremiah to Germany…. in the winter. Poor Hawaiian!
Anyway, we started this week off talking about a really cool bug in Internet Explorer. This vuln is a Universal Cross Site Scripting (XSS) bug that also bypasses Same Origin Policy and works in even the latest IE version 11. That is a mouthful and it’s all bad. What this means is that by abusing iFrames, an attacker could execute XSS in any site they want via your browser. Websites could be doing everything completely right but if they aren’t using X-Frame-Options header properly than an attacker can effectively do anything they want on those sites. Bad day to be an IE user or an IE developer for sure.
Next I passed it over to Robert to talk about a few of his favorite things, Denial of Service, browser security, DNS, and even China! If Robert was playing a game of Bingo of the things he likes to talk about, this next story would definitely be on the game board. This week a company noticed a massive spike in traffic coming from China and all going to weird URLs. With the information we have, it looks like somebody was poisoning DNS and making requests originally destined for other websites all pointing at a single website. Interesting DDoS vector! The solution applied was to block the IP addresses which, as Robert shares, is a really bad idea. He also discusses the fact that we probably have a bunch of research to do around browser-based DoS in the future.
Ended today’s session with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is the completely community-driven part of the process!
Thanks for listening everybody! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
Notable stories this week that didn’t make the cut: