This site is the personal web security playground of Gareth Heyes were I will show the latest tips or applications in the security field.
This site is the personal web security playground of Gareth Heyes were I will show the latest tips or applications in the security field.
A technical CAPTCHA.
A DOM Javascript helper.
Javascript supports much more than you think for variables.
A simple script that uses Javascript to lookup the properties of HTML tags to be used with XSS.
JSCK enables the average user to provide protection against CSRF.
In this demo I show how to use a combination of iframes and CSS to fool a user to logging in a OpenID enabled web site.
Hackvertor is a conversion tool to help with pen testing XSS filters
This is the first demo of my CSS scripting kit. It allows scripting within pure CSS.
To prove CSS and iframes create major security holes, I've written a CSS version of my LAN scanner
CSS security needs revision, I've highlighted two insecure methods which can cause security problems.
These demos protect against CSRF using form tokens and various other techniques.
Safari same origin policy is broken, the demo shows you can access the HTML structure of any site from any domain.
This script generates random code blocks on the client and server side and enables both to share the same data.
A new version of my javascript fuzzer with a lot more options.
A cool script that does a local scan of your network over the Internet.
Javascript comment spam protection
A simple script to display the : functionality of javascript
A simple fuzzing script for the onload event.
Safari location vulnerability. Has been fixed by Apple
Another Safari location vulnerability. Unfixed.
I wrote an authorisation method to stop phishing, it would need browser support.
My attempt at an accessible CAPTCHA. It was broken so it's not considered useful. Interesting experiment though.
A new CAPTCHA attempt
Revised version
An authorisation method using keyboard presses.
Creates a unique key using your browsers user agent.
Creates a unique key from the first part of your IP address and the remote port connection to the server.
Allows access to external domains from the script. I named it this is not a major flaw because when I reported it to Apple they said it wasn't serious. I'll let you be the judge of that.