Clickjacking in Firefox Hello

touch-25059_640Clickjacking, the art of tricking users into clicking on links or buttons that no sane person would ever click on. But how much damage can you do by stealing a few clicks? We are in 2015, we might think that this kind of vulnerabilities would have been solved by now. But that’s not the case.

Firefox Hello

Recently Mozilla launched Firefox Hello, their free service for video and voice conversations online. After a few tests, I noticed that hello.firefox.com website does not prevent framing.

Continue reading

Understanding PHP Object Injection

PHP Object InjectionPHP Object Injection is not a very common vulnerability, it may be difficult to exploit but it also may be really dangerous. In order to understand this vulnerability, understanding of basic PHP code is required.

Vulnerable applications

If you may think this is not an important type of vulnerability, please see the list below. Researchers found PHP Object Injection vulnerabilities in very common PHP applications:

And many others.  There may be a lot of other undiscovered PHP Object Injections in these or in other very common PHP applications, so maybe you can take a coffee break and try to understand it.

Continue reading