Agenda

• pnh demo
• personal updates
• add your items to the agenda

PnH Demo

Mark demoes the content injection he added to Plug'n'Hack and Zap including capabilities to intercept, change and re-send postMessages in the browser

• discussing other relevant scripts
  • https://github.com/qll/autoCSP (for identifying outgoing requests)
  • https://www.sprymedia.co.uk/VisualEvent/ (to visualize event handlers)

Status Updates

• Frederik
  • lazy automation week, mostly done websec reviews
• Jeff
  • fought through instantiating a test environment (python 2.6..RHEL4, no make,yuck)
  • basic elastic search interface in meteor grabbing bunker status
  • Next step; injesting actual logs from syslog1 to test elastic search
• Tinfoil
  • internet stormcenter like website for mozilla/opsec
• Psiinon
  • preparations for appsec usa
  • talk
  • ZAP hackathon
• mgoodwin
  • I've been working on the clients functionality for Plug-n-hack. Progress this week:
    • The 'probe' (content injection) client can now intercept, modify and resend postMessage for on and off origin iframes.punkt
    • This works on Chrome and Firefox. Should (in theory) work in recent webkits (so probably web views on android / iOS too).
    • Started work on the addEventListener proxies for intercept / resend events.
    • I've got an (experimental) ringleader with the postMessage hook built in. No off-origin hackery required but since this is fx only it's not useful for all zap users.
• ulfr
  • MongoDB storage in MIG. Action completion ratio (% of commands that finished, handle termination, etc..). https://github.com/mozilla/mig/commits/master
  • IOC format discussion in MIG: tight json integration vs accepting any type of IOC format in modules without understanding them. Will be discussed in Q1 2014.
• stefan
  • https://github.com/st3fan/minion-webcompat-icon-plugin
  • https://basement.sateh.com/tmp/flask/ (try it with bug 935701 or 545760 or 544543 or 542391 (give it a few secondds))