Thursday, February 15, 2007

Reflection on RSnake

If you have heard of XSS cheat sheet or then you already know him. His name is Robert Hansen or more popularly known as RSnake. If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites ( and ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably the most referenced link in the webappsec space with 27000 hits in the month of January ’07 alone and has around 10,000 unique visitors per day (not counting the RSS feeds) making it probably the most followed blog in webappsec field. He has shared his technical expertise with a lot of industry professionals in their work including but not limited to working with Microsoft engineers to address XSS issue, Cloaking to Stop Scraping, and his discussion with the author of the chilling effect.

Looking at his past, he started hacking when he entered college, which was when the web applications were just getting started. In his words

"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with the theoretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At the same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a theoretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out there and make my millions. I took angel funding for a project, and everything seemed to be going well, but then the stock market crashed, investment money dried up and I learned a hard lesson. It was the day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of the most interesting traffic on the Internet. It's a pleasure to host security sites, because I get great visibility into the techniques and tools.”

RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In the WASC meetup I got a chance to meet with him, and for a person who is known and respected by the hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to the webappsec community. I say some because the information below does not represent all his work. Even he has lost track of some of his work over the years.

Articles / Books

PGP Man in the Middle Attack

AcuTrust Entropy Attacks

Hardening HTAccess, Part One

Hardening HTAccess, Part Two

Hardening HTAccess, Part Three

Accessing Trillian Pro Remotely and Through an Encrypted Tunnel

Death By 1000 Cuts – a Case Study

Is your money safe?

Electronic Commerce Insecurity

Internet Mind Games

Apache Information Disclosure Issues or, "How to detect cloaking"

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

Tools written by him:-


MHTML framework

XSS fuzzer


Lots of changes to browser technology over the years. Started a number of security sites, written hundreds of articles, dozens of tools and many sample PoC. He has also presented at Blackhat USA and Networld+Interop on a Security Information Management roundtable (couldn’t find the url)


Web Application Security Blog

Snake Bytes


He had started many security related sites, but these two are most popular

To discuss any aspect on web application security

If you want a break from your work and need a quick laugh


ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.

Companies worked for:-

He has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He is now starting his new company SecTheory - doing boutique web application and network security consulting.


We will see a lot more contribution from him as he is working on some very cool stuff and if you want to stay on top of webappsec then make as the first site you visit to. I wish him all the best in his new endeavor.

Last Week – Amit Klein
Next Week – Jeremiah Grossman


Anonymous said...

awesome stuff man. Will be following you.



Anonymous said...

Oh, the days of the fringe. That was some genuine stuff at the time, and genuine people. I miss it :/