Monday, August 13, 2007

SensePost Releases Squeeza SQL Injector, Updates Wikto

As referenced in my BlackHat wrap-up, SensePost has just released the squeeza tool and accompanying slide deck from their presentation.  Their work on timing-based attacks is really interesting, particularly what they have dubbed as "Cross-Site Request Timing": it's apparently possible to violate the same-origin policy by tracking page load times across multiple domains. They've also released an update to Wikto, bumping it to 2.0 - judging from the change log it's a pretty substantial re-write.