Hello World!

Hello, my name is Pedro Laguna and I'm security consultant at Pentura Ltd. I'm going to write the first post in this new blog about our security consultancy work in Pentura. This is going to be a place to write down all these small tricks that we use to break the security in some scenarios, post about our tools and scripts or a place to contribute with a better understood about all the security terms.

The most common way to start a blog (more specifically a computer related blog) is posting a "Hello World" post. This is some kind of joke about the first program that anyone learn to do in any coding language. You can check a list with more than 200 examples of Hello World programs in the Wikibooks page.

In our case, as we are a security-related blog, we have to do it in a security way. More specific using Javascript to generate an alert to show the message "Hello World!".

Click here to generate "Hello World!" the alert

Now is time for a bit of technical explanation... If someone can insert Javascript in our pages like we already do, is a vulnerability because he or she can get our cookie session, per example. So, is blogspot in risk? No, and we are going to explain why.

For access to the cookie information using Javascript we need to call to the document.cookie object. This object only has privileges to access to the current domain cookies (it's a browser security measure). Blogger platform only stores cookies in the blogger.com domain and we can only access to blogspot.com domain cookies. You can check it clicking in the following link:

Click here to show blogspot.com cookies

As you can see no session cookie was showed, so... we are safe!!! But only for now, cookie sessions, XSS vulnerabilities and all these web security stuff has a lot to explain and we will be showing you here :)