August 10 2020...
A few more years later. Back in 2008 I founded
Enable Security, where we offer
penetration testing, especially focused on real-time communications systems.
Eye on Security has of course not been updated since years but please visit
Enable Security if you are
interested in our latest and greatest :-) In the meantime, I've been keeping
this site up for historic reasons.
October 09 2007...
A few years later. I've been busy with several private projects
and some public ones. Like [Maltainfosec],
July 25 2003...
Fixed a mistake in the advisory regarding CGI.pm - the issue
was fixed by the CGI.pm author in version 2.94. The original advisory
posted to bugtraq stated that the author never fixed the XSS - this
was incorrect. It was fixed on CPAN - but I was checking L.Stein's
personal website rather than CPAN [link].
July 19 2003...
It had seemed like EoS was sleeping ... sleep no more for here
comes a new advisory
which involves CGI.pm (Perl module). Some articles need updating
also - thats coming soon.
December 13 2002...
document to point to Macromedia's article about AllowScriptAccess
parameter - thanks to Bertrand Saint-Guillain.
December 03 2002...
Published a list of software and online services vulnerable
to Flash XSS attacks [here]. Most software/services
were already published in the original paper - Thanks to Matt Murphy
for the addition of Invision Board. Check
out his [post] for more details.
November 30 2002...
Made public the MDaemon password decoder script. Check it out
October 30 2002...
MS still busy with loads of bugs - but I just wanted to remind
them that their XSS problems with MSN groups are still there and
they've been these since .. the beginning I guess.. but EoS published
them on June.
Follow these links to learn your own MSN/Hotmail/Passport/whatever
evil Flash file
evil HTML file.
October 29 2002...
Silicon.com: They might have covered Cross site scripting attacks
on other sites - wonder if they will cover their's. ;-)
October 04 2002...
EyeonSecurity has now moved to .org instead of .net. Some stuff
on .net still works but the rest is on EyeonSecurity.org. We also
have a new affiliate .. security.nnov.ru - which is
a very informative security resource from RU.
September 18 2002
Small change in design - the asian chix are getting boring -
plus I'm getting complaints from porn site masters that I'm stealing
their visitors - so there goes - we got drew instead.
September 14 2002
New tools - DNS-Tools.Some
online tools to ease basic information gathering about hosts - such
as finding out your ISP's mail (SMTP) servers, resolving from name
to IP address etc.. [link!]
September 04 2002
I put up a script to decode the MSN Messenger password. Check
it out on perl.ob5cure.com.
August 26 2002
Filters – the Flash! Attack to reflect suggestions by
August 22 2002
New affiliate [zone-h]!!
August 09 2002
Been workin with WAP/t39 etc - check out http://ob5cure.com/. Will also
put up some scripts on http://perl.ob5cure.com/. Get inspired and educated [here].
August 08 2002
Design update - new asian chic on the left and new colors. Comments
welcome .. using the comments box.
July 28 2002
A new advisory called "MSN Groups makes cross site scripting
easy" is out!! GET IT NOW. Actually
this is something I've already published but no one cared about
- maybe this generates some reaction.
July 23 2002
is NOT dead - just had a long summer nap :). In the meantime
we moved servers etc.
* Updated the format of all papers.
Especially Check out the "Microsoft
Passport Account Hijack Attack".
* We now 0wn EyeonSecurity.org
* There's also ob5cure.com
- which will be something a bit different from EoS probably :)
* An advisory about MSN - usual cookie stealing / XSS attacks :)
* ob5cure.com and
* give more life to the EoS
* any more ideas? [contact
me] | use the comments
box | forums
June 26 2002
Been quite busy moving servers + updating the format of the
papers section. Everything should
be back to normal ASAP. When it is I plan to issue a new advisory
and start on some new research. [this
is more forums promotion].
June 18 2002
Macromedia has released a technical document about the Flash
XSS method. You can check it out [here]. Some more information [here]
June 17 2002
Updated the format of "When your server ends up a Warez site".
I'll be converting all papers to this format and changing any papers
which are not up to date.
June 14 2002
Looks like the latest paper was a success
:) I am currently working on updating the rest of the papers and
am thinking of publishing some pending advisories. More about this
at the forums.
June 05 2002
Attack. Covering ways to launch Cross site scripting attacks
by making use of Flash content. You might wanna discuss this in
June 01 2002
I've been working on a new paper since last weekend + contacting
the people involved. Should be out real soon. Meanwhile check out
[wiretapped] and [da forums]~!
May 30 2002
Coming near you.. EyeonSecurity Forums!!
Actually this is something I wanted to do a long time ago - have
an open discussion forum. Please visit and post [here].
May 24 2002
After reading [this] article I decided I wanted a free account for myself
.. so check out this Anonymizer link .. should be patched real soon.
A good paper about CGI script exploitation by our affiliate b0iler : [here]
May 11 2002
Posted a PDF (pee-di-eff) version of the Extended form attack
paper [here]! We also have
2 new affiliates - Advanced Knowledge and WBG links. Enjoy~!
May 07 2002
A new advisory about WorldClient and MDaemon is out!
Recommended checkin out. We also have new affiliates - the guys
from Frame4 Security Systems. Also put up a new
example for the Extended
form attack (which is still unpatched !) for Internet Explorer
(and Opera - which was patched immediately).
May 03 2002
an article - where they feature "Microsoft Passport
Account Hijack Attack" alongs with *original* quotes from Obscure
:-) .. check it out [here]. New
advisory on the way ... maybe next week. Oh yea .. and we have a
new user on EoS: b0iler. Welcome - check out http://b0iler.eyeonsecurity.org/.
April 24 2002
Published a text on How to hack hotmail
That's right - this my revenge to all those kiddies who bombard
me with questions about hacking their ex-girlfriend's hotmail account.
April 20 2002
Microsoft has not yet patched the exploit in Internet Explorer
It's now 2 months since this vulnerability was made public .. on
the other hand Opera fixed it within a week or so. A non-EoS demonstration
is available [here]. Seems like my demo doesn't work any more since EBay changed their mail
You guys might also enjoy browsing www4.cnn.com
(CNNSI)-> specifically these links :
Well i guess nothing's wrong with directory listing - happy hunting
April 11 2002
Just for your enjoyment I will be filtering out any hotmail
password requests. It getting quite sick - i get stuff like this
comment: forgot the dpassword
Anyways I've added a new tool which converts from base64 to plain
text .. and vice versa - handy for decoding a lot of weak password
scemes (eg. HTTP basic authentication). Check it out [here].
My sister site news: we've been adding some irc log files on Nekromantic.com.
March 30 2002
Added the ability to translate pags to different languages.
Check out the "translate to" thing on the lower right hand side. Should you have
a problem locating this brand new feature.. just let me know.
March 12 2002
Seems like the IMail advisory was published by Zillion of safemode.org.
Oh well. Also people using HTTPS to access their IMail account,
do not seem vulnerable to this attack as the referer field is stripped.
THis was tested with Mozilla 0.9.8 as well as Internet Explorer
6. New affiliate: security-protocols.com
March 10 2002
Finally I put up the IMail and Excite WebMail exploit tool and
published the related advisory.
This is a link to an interesting article by Shad Mortazavi on Newsviews
regarding remote commuting versus security issues + VPN etc. :D
March 08 2002
Total change in design. I opted for a more
alternative one than the former design which was getting a bit too
boring. besides .. asian lovers will like the image on the left
Also added a comments box for comments on all pages
... and added an "Eye on Security in the news" page in the
Coming up - some simple exploits *wink wink*. Umm
and check out this [page]
.... kewl stuff guaranteed *cough*. If you notice anything wrong
broken links/scripts etc .. please let me know (use the comments
box on the left .. unless that is what is broken).