Lukas' Random Thoughts

Category: security

Static JavaScript analysis with Burp

The recent DOM-based Cross-Site-Script vulnerability in WordPress has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard tools such as Burp Suite (the leading toolkit for web application security testing). In this blog post I go a little bit into details about the vulnerability and what can be…

May 11, 2015
Content-Security-Policy and ownCloud

New developers to ownCloud sometimes wonder why JavaScript code embedded in HTML templates is not executed in most browsers. The answer behind this lies in the Content-Security-Policy (CSP), a very powerful and interesting web security feature. While ownCloud uses CSP since version 5.0.0, which was released in March 2013 and was thus one of the…

April 3, 2015
A tale about trusted_domains

ownCloud is all about protecting your data and as part of our development cycle we’re proactively auditing and assessing the security of ownCloud. In fact, most security bugs that we fix are discovered by our very own security team and not by third-party researchers (although, keep those fixes coming third-party researchers!). Many of the bugs with…

February 25, 2015
Diving into EGroupware: Object Injection

Last weekend my colleague Andreas Fischer and I decided to take a look at EGroupware which is a PHP-based groupware used by quite some renowned organizations especially in the German speaking part of Europe (for example Universities). Our 4 hour short audit lead to the discovery and patching of a few vulnerabilities, in this post I’m going to feature one of…

February 22, 2015