Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Funny ZoomInfo
Posted by: blad3
Date: February 25, 2007 07:30AM

So, there is this new search engine ZoomInfo.
It supposed to be "The search engine for discovering people, companies, and relationships."


Funny searches:
http://www.zoominfo.com/Search/PersonQuery.aspx?SearchType=simple&SearchBy=name&searchParameters=%22Bill+Gates%22&x=0&y=0
http://www.zoominfo.com/Search/PersonQuery.aspx?SearchType=simple&SearchBy=name&searchParameters=%22Michal+Zalewski%22&x=0&y=0 <- check second result

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: hiredhacker
Date: February 25, 2007 08:31AM

Another one:
http://www.zoominfo.com/Search/Error.aspx?message=%3Cscript%3Ealert('xss');</script>

-peavey

--------------------------
http://www.hiredhacker.com

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: blad3
Date: February 25, 2007 10:10AM

Nice one hiredhacker,

There is something that is bothering me.
These guys are running IIS 6 with ASP.NET (1.1.4322)
By default ASP.NET has ValidateRequest="true" on every page as a protection for XSS.
You need to manually disable that protection to be vulnerable to XSS.

Why would you do that for an error message page?
I'm missing something obvious here or people are just clueless?

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: kogir
Date: February 26, 2007 03:28AM

@blad3

I work on an ASP.NET web application and I can tell you why you disable that infernal check:

1) You want to let users use common characters, like < and >
2) You get tired of having something work in the Visual Studio test server only to see it fail spectacularly when you push it to the test server.
3) You let users enter data on cell phones, and on the web.

User enters "|<run|<" as a name on their phone.
User tries to edit name on the web.
User sees ugly "Invalid request message" on submit.

This really does happen. I was shocked too.

4) It pisses you off one to many times when you're trying to test for injection points (I don't want to enter "<script..." as my name on a phone).

I've disabled it on my application as well. We just encode EVERYTHING on output. We're even starting work on static analysis tools similar to perl tainting http://en.wikipedia.org/wiki/Taint_checking to enforce it.

-kogir

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: blad3
Date: March 02, 2007 12:59AM

Hi kogir,

My question was a bit different:
Why would you do that for an error message page?
On an error message page, you basically display your own error messages.
I'm aware there are pages where you need it disabled.

But thanks, I didn't knew there are so many reasons why people hate ValidateRequest. Good to know ;)

p.s.
loopt looks nice:)



Edited 1 time(s). Last edit at 03/02/2007 01:04AM by blad3.

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: kogir
Date: March 02, 2007 01:36AM

@blad3

We actually disable it site wide. Perhaps that's a bad idea... :)

I suppose the best thing would be to run the same checks on the phone input data, but I'm not sure it's worth it. It just doesn't provide a good user experience to be forced to go edit something you just wrote, and silently stripping things is equally bad.

Thanks for the compliment. None of the design work is mine, but I'll let our web team know. My contributions are less visible to most people:

\n
\n
<!-- yay mhtml! ;) -->

(at the end of a page)

-kogir

Options: ReplyQuote
Re: Funny ZoomInfo
Posted by: blad3
Date: March 02, 2007 03:26AM

IMHO it would be better to disable it on a per-page basis.
Only where you know exactly that you need it.
You may/will have some problems in the beginning, some pages will not work as expected, but you will gain better security in the long run.

"yay mhtml! ;)"

LOL, nice one!

Options: ReplyQuote


Sorry, only registered users may post in this forum.