For me, information security is not just a profession – it is a way of thinking, a mindset, which can be used to improve the lives of billions of users.
I am a security enthusiast. I performed over 400 security audits and penetration tests (application and network), managed a team of a dozen security consultants and reported critical security vulnerabilities in products of large software vendors, such as: Google, IBM, Oracle, Adobe, Microsoft, Facebook, SAP, BEA, and more.
The purpose of this blog is to share my personal opinions and discoveries.
- A new web vulnerability that is applicable for Google, Microsoft, Facebook, Yahoo, Mozila and more (2013 – to be published).
- IIS Shortname Scanning Tool (2013 – to be published).
- 3 Paypal XSS – (2013 – to be published).
- Google XSS enabled by CSRF and Flow-Bypass (2013 – to be published).
- Google Accounts/Email Information Disclosure vulnerability (2013 – to be published).
- SAP critical vulnerability (2013 – to be published) – http://scn.sap.com/docs/DOC-8218
- Google Plus “wormable” Click-Jacking vulnerability (2013 – to be published).
- Oracle BEA Plumtree DOM cross-site scripting, CVE-2013-1529 (2013) – http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml
- Oracle SSO (OBLIX) open redirect vulnerability, CVE-2013-1497 (2013) – http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
- Critical persistent cross-site scripting in “Google Sites” (2012): http://www.google.com/about/appsecurity/hall-of-fame/reward/.
- Adobe ColdFusion remote administrator interface access (2012 – to be published).
- Hackvertor.co.uk XSS challenge top 7 (2012) – http://challenge.hackvertor.co.uk/?challenge=4 .
- Ajax Hammer (2012) – http://hasc-research.googlecode.com/files/AJAX%20Hammer%20-%20Harnessing%20AJAX%20for%20(Direct)%20Dynamic%20CSRF.pdf
- Adobe ColdFusion two cross-site scripting vulnerabilities (2011) – http://www.adobe.com/il_en/support/security/bulletins/apsb11-29.html .
- Session Puzzling attack (2011) – http://sectooladdict.blogspot.co.il/2011_09_01_archive.html .
- PHP-IDS Multiple bypasses (2011) – http://sla.ckers.org/forum/read.php?12,30425,36198,page=30.
- Multiple IBM products login page cross-site scripting vulnerabilities (2010) – http://www.securityfocus.com/bid/38412/info .
- Facebook login page cross-site scripting (2009 – reported, but not published).
- Oracle E-Business Suite multiple remote vulnerabilities (2009) – http://www.securityfocus.com/bid/37305/info .