What is kittenpics.org?
This website, although the title might be misleading, has little to nothing to do with pictures of cats. Albeit we might throw in one here and there, the main idea is for this to a blog a web security and things we found to be interesting, potentially vulnerable or really really broken.
Why the name then?
In Web security, you often need the victim to visit a site with a crafted link, post a form or do something similar. One way of going about making the victim visit a link of your choice is to simply send it to her. The chances of that attack being successful is quite low since you need typically need your payload to be in the URL. Rather than trying to achieve that, why not lure your victim to a site that has content she likes. And seriously, what better content is there than cute cat pictures?
Who is behind kittenpics.org?
Kittenpics.org is filled with content by three authors who have worked quite a bit together, both in detection of vulnerabilities as well as proposing fixes.
Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of 8+ years applied web AppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress. His twitter profile is at @datenkeller and he has quite a few publications on Google Scholar as well.
Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security. Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc. He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, OWASP Appsec, Deepsec, etc. His ramblings can be found on twitter at his account @sebastianlekies.
Ben is currently a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg. His research interests lie within web security and malware analysis and he enjoys the challenges provided in capture-the-flag contests. He has been published at conferences such as BlackHat, OWASP Appsec as well as CCS and USENIX Security. You’ll find him at @kcotsneb as well as a list of publications on Google Scholar.