No YOU rule! :) Welcome to the forums. Bounce away!

- RSnake
Gotta love it. http://ha.ckers.org

Tribute Wrote:
-------------------------------------------------------
> Welcome Syl4r. Heroes fan?

You say that like there are people that DON'T like Heroes!

- Kyran

What is this Heroes you all speak of? It's my name!!

I like to eat Braaaaaaiiinnnssss



Edited 1 time(s). Last edit at 03/22/2007 06:06AM by Syl4r.

Heroes--Zeroes

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Hi; I'm goodwinster.

I'm a security geek based in Leicestershire, UK.

You might have seen some of my work on Joe Walker's blog. I've been hanging around for a few months now; thought I'd join in the fun.

Nice to meet you, goodwinster. Glad you have you finally join. I like to see the lurkers joining in. It'll keep the discussion alive!

- RSnake
Gotta love it. http://ha.ckers.org

I don't like "Heroes", but then again I don't like a lot of television shows.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Hey,

Meaning to say hi for a while. Im a pen-tester in the uk focusing mainly on web-apps. Dabble in social engineering too.

Great community you have here, should be at Defcon this year so if anyone is going I might see you there!

-Joe

Hi Joe, Both RSnake and I will try and be there, it's usually a lot of fun. Glad to have you here!

-id

Yah, and welcome... like id said, we both try to be there every year. But one way or another I'll post that info when it gets closer.

- RSnake
Gotta love it. http://ha.ckers.org

Hey all,
This is devilx here. Just started working on web app penetration testing. Still got a long way to go, lot to learn.

Cheers

Floating around...

welcome to the forums.

Hi I'm Ronald, I was Jungsonn but I switched names. Nicks suck!

sorry ^^

Arg, getting used to a new nick is tricky, especially when we don't have avatars, Oh well.. I'll have to get used to it I guess.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Yeh i'm trying to insert my url

Hmm it should work now. I've updated my site also it's moved to 0x000000.com

@devilx - welcome to the forums!

@Ronald - Oh, that's confusing. Well, welcome (back) to the forums. :)

- RSnake
Gotta love it. http://ha.ckers.org

thanks m8!

hey just joined trying to learn how to do different things in xss.

MonsterLishis for shizzle! Welcomizzle.

- RSnake
Gotta love it. http://ha.ckers.org

Hello, I'm a recentish follower of ha.ckers I've only just plucked up enough courage to post my introduction.

I'm a first (moving to second) year Internet Computing student in the UK. A fourth year who spent the majority of his "Java demonstrator" time on his knees trying to explain the concept of Objects [to me], introduced me to the web application security lab after a discussion on what my course involves.

In my third year I'll be moving into the more meaty part of my course, and while I'm sure security will be a taught part of the course, I don't see there being any harm in learning before my class runs. From what I gather since the IT professionals "create" the holes in security, the more I understand about the holes you guy's are finding then the less likely the chance that I'll repeat those you find. Theoretically.

I'm here to read, learn and make you wish you had a baseball bat to force concepts into my head ;)

I'm most interesting in HTML/CSS/JAVA/JavaScript/XML (I am still learning the last three and building knowledge on the first two. Apparently there is more to HTML than what I thought(?)) although I'm becoming interested in database/php/mySQL, especially on the security end.

Thanks for the reads to come and read!

I've never "officially" welcomed anyone to the forums, so I'll do it now...

"Welcome to the forums!"

That was a great intro. I'm glad you posted what you're learning in school, that's useful to know. And yes, there is a lot to HTML that most people don't realize. If you have Firefox go here: view-source:http://ha.ckers.org/weird/dandb.html I show this to people who tell me they know HTML. HTML is extremely complicated, and 80% of the tactics used on the XSS Cheat Sheet uses tricks in HTML that most people never think about, let alone program against.

Anyway, welcome!

- RSnake
Gotta love it. http://ha.ckers.org

I had a look at the source and my jaw dropped - is there another "bit" to the html or is the whole thing JUST HTML. I have never seen half of those tags and the other half I haven't seen used in that way - you have me intrigued! :D

I have had a look at the XSS Cheat Sheet, but since I'd never heard of XSS before I was introduced to ha.ckers.org I'm still finding it difficult to understand/use. I have this intimidation-fear of new languages before I actually start to use them.

Is HTML a markup language for layout (although seeing the dandb.html file and after seeing how meta tags can be used I think it can do more than just let a web page look pretty) and XSS is a programming language which can be used to attack them?
(or is there a thread somewhere that explains this?)

Thanks for the welcome!

Yah, that's really all HTML... although there is some CSS in it too for part of it. HTML is all presentation layer. What people often fail to understand about the XSS cheat sheet is that they think it's about JavaScript. It's not. It's about HTML used to get JS on a page (there are a few exceptions like straight JS injection or header splitting, etc... but for the most part it's all HTML injection that causes JS to run). The Cheat Sheet is pretty complicated, and lots of it is only useful in very particular situations, so I don't blame you for feeling a little intimidated. But trust me, you can figure it out, it's not rocket science.

XSS isn't a language at all, it's just an HTML fragment that gets outputted by the server side code (in most cases). That's the easiest way to think of it. One of the obvious exceptions is stuff like anchor tags url/file/path/to/function.php#exploit-goes-here where it doesn't even get sent to the server, but JavaScript that runs client side does something unsafe with the anchor tag that causes code to run that the attacker controls.

- RSnake
Gotta love it. http://ha.ckers.org

I thought that HTML was "client based" while PHP was server-side, how does HTML become outputted by the server side code? (At least, that's what was hammered into my head during a basic php class.)

I've just finished my first and last exam (I swear, if I see another snippet of MARIE code or have to explain Skipcond one more time I will melt into a pile of smush!) so I had (another) look at the code and I think I've figured it out - except the A STYLE tag. Does that do anything?

I'd also like to point out that it is a very sneaky (because it looks scary!) bit of html, in my opinion!

Hi, I think I may as well make an introduction here since I like this site.
I'm not a hacker actually, just a guy who likes mess with various stuff, so don't expect any insight from me. I'm interested in a lot things from genetic algorithms to cg graphics, game development and php,sql,unix blah blah blah...

I hope my introduction wasn't too boring, anyway.
I'm just gonna say, that every time I read your blog, I learn something, and that's cool man!

Ers_Dokutn Wrote:
-------------------------------------------------------
> I'm not a hacker actually, just a guy who likes
> mess with various stuff,
I think most people agree that's what hacker really means in the normal sense.

- Kyran

Ers_Dokutn - Welcome to the boards! As Kyran said, I think a lot of people fall into that category. For many years I never thought of myself as a hacker, even though I had the 139th hacking site on the Internet (it was pretty terrible actually). But I'm sure if you have experience with different technologies you can be helpful when we talk about those specific technologies.

- RSnake
Gotta love it. http://ha.ckers.org

Hey all. Long time fan of ha.ckers and sla.ckers, I've been following the blog and lurking the forum for a while. I'm 20, still in college, on my second internship, and still very new to web app security. I know a little html/css (like larkadragon said above, "my jaw dropped" with that example) and have some idea behind some of the stuff you guys do. But... I'm doing my best to learn and I hope to contribute my own work some day. Still have RFC2616 on my plate :)

-Marcin
http://tssci-security.com



Edited 1 time(s). Last edit at 06/19/2007 01:12PM by sjraptor.