Howdy folks, I'm Groone.

Hello, I'm Satori.

I'd like to say that because I'm so security and net-savvy that I've been a lurker on this site since eons ago, but the truth is that I just found it based on your XSS vulnerabilites posts regarding the who's who of the dot com world. Nice work on that, by the way. That information is important.

Well, even if I'm not an OG, I'm glad I found this place. I'm looking forward to going through every single post I've missed by not being here earlier.

Welcome to the boards!

-id

Yah, agreed... welcome both of you! Don't worry about being OG... we'll forgive you that one indiscretion. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Hello all,

I am a professional computer geek / security officer. I have had the fortune of turning my passion for security into a career after evolving from the primordial intern at a local dot-com startup to a senior sowftare engineer / architect. Currently, I manage our security engineering department and am responsible for the security of my companies many web applications and databases.

Needless to say, I try to stay on top of things. I have found this site to be a priceless source of real information about security issues (as opposed to the dribble you often find in many high-profile news groups).

Although I have long since been a lurker, I will make an effort to give more back to this site. If anyone wishes to contact me directly, drop me a line at Erlkonig@Inbox.com

Cheers!

Welcome to the forums!

- Kyran

It's always good to hear people find value in the work that goes into the site and the contributions of the posters here.

Welcome aboard!

-id

Agreed... and feel free to ask questions. It's nice to talk to lurkers, because I really don't get a lot of feedback from them. Let us know if you have any suggestions for the site or questions that have since gone unanswered.

- RSnake
Gotta love it. http://ha.ckers.org

Hi everybody

Hi yourself! Welcome to the boards!

- RSnake
Gotta love it. http://ha.ckers.org

Hey! Nice to see more new people.

- Kyran

Yeah nice to know new people and ia m glad to found this place there is a good information about security.



Edited 1 time(s). Last edit at 10/10/2006 02:57PM by ReapeR.

Greetings,

I build security products and have been working in the industry since 1996. I have designed network scanners, IDS, IPS, Web Scanners, and Web application firewalls.

I would like to contribute to questions regarding scanner and intrusion sensor technology as well as keep up with new threats.

Welcome to the Forums!

- Kyran

thank you for welcoming me to this forum. i like the text, very nice.

you probably think i came here to find zeroday xss sploits, but no i am mostly here to learn about browser safety and security (protection mechanisms). at least this week. ;>

WalkinDude, welcome to the boards, it's always nice to have good to talk with web scanner and IDS guys, there are several threads on the board that have died down - partly because we haven't had that many people who specialize in that. You're comments are welcome.

ntp, well you're in the right place, we definitely talk about that in context of what bad things are going on. One of the major threads we started on future state of browser security was around this post: http://ha.ckers.org/blog/20060921/opera-weirdness-might-be-a-good-idea-for-xss-prevention/ Also, I'd suggest reading this as well: http://ha.ckers.org/blog/20060601/content-restrictions-and-xss/

Welcome both!

- RSnake
Gotta love it. http://ha.ckers.org

rsnake Wrote:
-------------------------------------------------------
> One of the major threads we started on future state of browser security was around this post: http://ha.ckers.org/blog/20060921/opera-weirdness-might-be-a-good-idea-for-xss-prevention/ Also, I'd suggest reading this as well: http://ha.ckers.org/blog/20060601/content-restrictions-and-xss/

wow... kinda sad that browser xss protection is so played down. also bummed about gerv's wip to whatwg. is the best way to protect yourself simply to turn attacker and perform your own risk assessments of nearly every website you go to? almost anything can be made believable via XSS under the right circumstances... and not everything is going to be picked up by the anti-phishing toolbars.

i've been playing around with http://crypto.stanford.edu/antiphishing/ which includes a lot more than just an anti-phishing toolbar. i find spyblock most intersting of all the firefox extensions... and it makes me wonder how many people are now browsing from inside a virtualmachine.

Welcome!

Yeah. It is rather disappointing that the browser community either doesn't understand the implications of XSS or just doesn't care. Also, with persistant XSS, no one is safe. Since all anti-phishing toolbars currently do is check the domain against a list.

I would browse inside from a virtual machine, but if it's a virus, I will reformat. If it's XSS, my info is gone anyways.

0-day XSS exploits? Hah. XSS is everywhere. Hardly a rare thing like remote code execution/file inclusion.

- Kyran

ntp, yah, I wish both conversations had gone better. My only saving grace was that I was in the very very earliest talks with Mozilla to get an anti-phishing filter built in and it looks like very soon they'll finally have it, Netscape already had one and IE was in the process of building it into IE7.0. But you're right, that certainly won't protect you from most things, and most of the anti-phishing is using blacklists not heuristics, so it wouldn't help you anyway if each URL was different.

Kyran, that's an interesting point... while virtual machines can't protect you from internet to internet type XSS they may be able to help out with internet to INTRAnet type stuff. I've actually heard of this from a few companies that I looked at for a VC firm (probably shouldn't say the name here as I think they are all still in incubation phase). But you're right, Kyran, the virtual machine really doesn't protect you when you've given away your information/credential - regardless of what machine you're on.

- RSnake
Gotta love it. http://ha.ckers.org

That's really the scary part about XSS. Since the browser community won't do anything about it, there is virtually nothing an average user can do to protect themself. There are some people that only lightly use the internet as a tool, such as for shopping. They shouldn't be worried about becoming a security expert. I suppose in a corporate setting, it should almost be mandatory to browse in a virtual machine when accessing the internet. But I'm ranting now.

Again, welcome!

- Kyran

Kyran Wrote:
-------------------------------------------------------
> Yeah. It is rather disappointing that the browser community either doesn't understand the implications of XSS or just doesn't care. Also, with persistant XSS, no one is safe. Since all anti-phishing toolbars currently do is check the domain against a list.

yeah, i have a hard time explaining to ppl the difference bt type 2 attacks and joe-blow XSS

> I would browse inside from a virtual machine, but if it's a virus, I will reformat. If it's XSS, my info is gone anyways.

http://www.getspyblock.com/ indicates that there are several attacks that this method would protect against. i'm looking into it. my next step will be to determine how to easily get Windows-in-Windows up and running (and easily repeatable) without a lot of work. i would assume that slipstreaming XP into VMWare Player is the base goal (or maybe a bootable ISO with Firefox and SpyBlock, et al - BartPE could work for this).

> 0-day XSS exploits? Hah. XSS is everywhere. Hardly a rare thing like remote code execution/file inclusion.

yah, i was joking hehe. although i'm sure ppl do come here trolling for sploits which was the bad part of that joke

rsnake Wrote:
-------------------------------------------------------
> ntp, yah, I wish both conversations had gone better. My only saving grace was that I was in the very very earliest talks with Mozilla to get an anti-phishing filter built in and it looks like very soon they'll finally have it, Netscape already had one and IE was in the process of building it into IE7.0. But you're right, that certainly won't protect you from most things, and most of the anti-phishing is using blacklists not heuristics, so it wouldn't help you anyway if each URL was different.

Firefox 2.0rc3 -> Tools -> Options -> Security -> Tell me if the site I'm visiting is a suspected forgery
also has radio buttons for "Check using a downloaded list of suspected sites" OR "Check by asking [FORM] about each site I visit". The only thing in "FORM" right now is Google.



Edited 1 time(s). Last edit at 10/11/2006 08:13PM by ntp.

Hi

My name is Ronald, programmer, designer, strong interests in cryptography, engineering, *nix systems, and everything that has todo with infiltrating freshly build apps. :-] I have my own company and i develop/create websites, in my spare time i 'm busy with FireFox extensions, coding, music, etc. Some of my succesfull (whitehat) hacks involved companies like Cisco, found (activeX) exploits in Internet Explorer, etc...,currenlty my focus lies on FireFox, and XSS -> ( due to RSnake ;)

EDIT: removed a big name, though i get alot of annonymized traffic a sudden, and i'm easely googled, :) i have to be carefull even here.



Edited 1 time(s). Last edit at 10/31/2006 10:36AM by jungsonn.

Aw shucks, well you found the right place! Welcome!

- RSnake
Gotta love it. http://ha.ckers.org

Hello,

I found this site through endless clicking, via a site called nist . org. I was linked via articles on SQL injection and XSS interests me aswell.

I have some (professional) programming experience, ranging from basic, c, cobol to c#. Currently trying a bit python. Jack of all trades, good for nothing.

A few month ago I started a blog with blogger/blogspot. That was more fun than anticipated and I figured it would be nice to have my 'own' site. Well, I still don't. I did switch to Linux in the mean time and had a look at Drupal, which lead me to learn php, css, html and javascript (It's also the reason I'm interested in SQL injection and XSS).

I don't know a lot about 'security' so I read as much as I can. And get more paranoid the more I learn. I pride myself of thinking about security before I started my own site but in this crowd that's probably too obvious to get credits for.
Don't expect me to contribute much but when I've some time I'll lurk through the forums.

Caesar Tjalbo, welcome! Don't worry about having meaningful contributions. Sometimes asking the questions gets us all talking about things that normally we don't spend much time thinking about. The more talking we have the more we learn about how people perceive the issue. Anyway, welcome!

- RSnake
Gotta love it. http://ha.ckers.org

Hlo one and all from dyz-lektik.

Pretty new at the layer 6-7 part of security, though I know my way around 1-5. Done lots of Cisco installs/Pix/IPsec and had a small ISP for a couple of years.

Absolutely HATE Test King and that ilk for the way they've diluted/destroyed so many certifications. Brain dumps from memory are one thing, but these assholes, who OPERATE testing centers, are stealing/selling the whole question and answer series, right down to the damn diagrams! Now even the CCNP and my CCSP are practically worthless. Every f'in recruiter (who doesn't know a packet from a ping) wants a CCIE and is willing to pay barely enough for a CCNA! The MCSE?: "Must Call Someone Experienced!"

Got interested in this posting due to our Big Reptile's (King Snake's?)excellent work on XSS. Combining his list with the capabilities of Tamper Data in FF or PAROS in IE is one helluva tool for finding spots where the RegEx filters weren't properly set. FF and Paros allows even someone relatively new at this to find the most obvious weaknesses. Truly enjoy filing defects where the last (unwritten) word should be "stupid": "According to security policy, the secret encryption key for the Oracle database should not be posted in the source code, where it can be accessed by everyone with a common, shared login credential." (stupid!)

Will enjoy the lively comment.

Hahah, welcome dyz-lektic. I'm not much of a king, but I'm glad you enjoy the stuff. I have only got one certification but I agree for the most part. They really are pretty over hyped.

I look forward to your conversations on the forum!

- RSnake
Gotta love it. http://ha.ckers.org

Hello ,
I am br0ken ...
I joined due to the fact of all this granny porn chit chat ...
but to my dismay there does not seem to be any actual granny porn :(

So yeah ... I like pizza

./br0ken

Sorry to disappoint you, br0ken, but as a consolation prize I can give you directions to the nearest old folk's home. I'm sure they could use a strapping young lad like you around. You could feed them pizza. Oh it could be so hot.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks, for the thought.
I just mapquested directions to the "nearest old folk's home"
and its a lot closer then first thought, so there should be no need of searching
for granny porn on the internet anymore ... now I got to find some other use of this internet thing ...

;)

./br0ken