hackademix.net

From About.com (a New York Time Company website):

Privacy and security while browsing the Web is important to all of us, as evidenced by the fervent voting in this category. The five finalists featured an impressive selection of tools intended to make everday life on the Web safer.

After more than three weeks of non-stop action, the readers have made their decision. The reigning champion in the 2011 Best Privacy/Security Add-On category, for the second year in a row, is NoScript! Final Voting Results

• NoScript* - 56%
• WOT (Web of Trust) - 33%
• BetterPrivacy - 4%
• LastPass - 3%
• FlashBlock - 2%

*denotes winner

2010 Winner: NoScript

Many thanks for the love you've shown your friendly neighborhood web-cop. :)

Nir Goldhsanger asked me to share with my audience a nice privilege escalation through parameter pollution he found, allowing the attacker to become administrator of any Blogger blog, which he dutifully reported to Google and deserved him the famous $1337 bug bounty.

I'm quite impressed by the first step of the attack, where the application gets fouled by a double "blogID" parameter: the first gets validated (it actually refers to a blog owned by the attacker) but then the second is actually used to perform the "add authors" action. Looking at the URL, it would seem they use Struts or some other Java-based framework. Since I'm quite rusty with them (these days I mainly use PHP and Ruby on the server side), would anyone attempt a reverse engineering and explain which kind of code could get messed by this? Did they maybe parse their parameters twice, with two different parsers?!