Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What would you like to see?
Posted by: rsnake
Date: September 01, 2006 07:58PM

As I rapidly approach a quarter of a thousand posts on the blog and we've already well surpassed that on the forums as well, I'm still at a bit of a loss as to what my readership is actually looking for. Most of the posts have 1-10 comments, and some of the ones I am sure would spark debat are the calmest. I'm getting the feeling I don't know what my users are actually after.

Are there any things in particular that you are all interested in? Are there topics that you are hoping I will cover but haven't yet? Are there tools or services you want that I haven't built (or exposed) that you are after? I guess I am really interested in some real feedback (good or bad) as to what people are looking for from the site. Of course there are plenty of lurkers who won't pipe up here, but hopefully the people who will can represent the target demographic.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: id
Date: September 02, 2006 01:12AM

I want pie

-id

Options: ReplyQuote
Re: What would you like to see?
Posted by: WhiteAcid
Date: September 02, 2006 06:27AM

I keep writing a reply, then removing at as I realise I'm being hypocritical with what I want. Third time lucky...

I have no idea what I want (besides pie of course), but I enjoy reading the vast majority of your posts, so you seem to be hitting the target already. One thing I didn't like before was your vast amount of posts about SEO, but now that I'm a bit more clued up on it I'll happily gorge those posts down too.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 02, 2006 12:12PM

Hmm... so that's one vote for "don't change a damned thing." Good to know.

"The pie is in the oven. Repeat. Pie in oven."

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: Kyran
Date: September 20, 2006 07:12PM

Perhaps you're just TOO good, rsnake.
I usually have nothing to say to a post, perhaps for lack of knowledge of the subject or you just hit the nail on the head.

Either way, second vote for "don't change a damned thing."

- Kyran

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 21, 2006 10:26AM

That's good to hear... I've got lots of ideas still, but my time has become more and more limited lately. I'm trying to work on things that are maximumly interesting with the least amount of work for yours truely. For instance my stupid XSS fuzzer which has taken up more time than I would have liked. I might release it if I can get a few things working better. It was one of those projects that should have taken 20 minutes but ended up being weeks worth of testing and debugging.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: Kyran
Date: September 21, 2006 11:42AM

Well, I'm quite sure if you get any of your projects to a beta-ish stage that your little sl.acking community MIGHT get around to help testing it. But that's only when the bugs are getting few and far between.

- Kyran

Options: ReplyQuote
Re: What would you like to see?
Posted by: raif
Date: September 21, 2006 12:31PM

although there are fewer posts on this forum than others i have been a member of, it seems to me that the quality of the information contained in these posts are much superior. also, i'm not sure what i want to learn about yet because i'm still fairly new to web app security. so i'm just happy to learn anything ;)

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 21, 2006 06:07PM

This is good feedback... tell you what, I'll see if I can clean the code up a little more tonight and if I can I'll try and release the fuzzer. It's some of the worst, most strung together code I've ever written, but it does really help with identifying variable width encoding issues.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: Kyran
Date: September 21, 2006 06:32PM

Sounds great. Going to be posting it on the forum or on ha.ckers?

- Kyran

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 21, 2006 07:46PM

Probably both... It's been too long, even though it sucks, I should let other people see how bad it sucks.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 21, 2006 09:09PM

Okay, I posted it here: http://ha.ckers.org/blog/20060921/xssfuzz-released/

Go crazy!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: Kyran
Date: September 21, 2006 09:11PM

Go? Already gone.

- Kyran

Options: ReplyQuote
Re: What would you like to see?
Posted by: ejfarraro
Date: September 28, 2006 11:08PM

I've been lurking on the blog for awhile now, but even though I haven't commented much, I really like (almost all) of the posts. I've learned a ton about vectors I hadn't even though of. I'll probably be posting more comments from now on though!

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: September 29, 2006 10:10AM

ejfarraro, thanks for the feedback... when you say "almost all" of the posts were there some that were un-interesting or otherwise not up to par, or was it more just not your speed? I try to keep it fairly mixed with news and actual practical tools that I don't publish elsewhere. I've probably posted too much actually - I got sorta burnt out last month but I think I've gotten over that hump.

I'm glad I set up this forum though, it's helped me think through some of my ideas and allow you guys a space that's really yours to do what you will with - instead of being "my forum" you know? Frankly, I don't give a shit what happens to the forums, as long as you guys get what you want out of it - and to me that means targeted web app sec stuff.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: Kyran
Date: September 29, 2006 12:40PM

I'm rather happy with the forum itself. Not only am I learning the occasional thing, most of the people here are already in the industry, or want to be. So, possibly good contacts are being made between everyone.

- Kyran

Options: ReplyQuote
Re: What would you like to see?
Posted by: metal_hurlant
Date: September 30, 2006 04:53AM

Here's my little pet request:

While a lot of the site is currently focused on injecting code into a site, the research of what can be done with that code is an interesting topic, which I believe is quite far from being fully documented.

A project like http://www.gnucitizen.org/projects/attackapi/ attackapi attempts to provide an easy look into what capabilities are available, yet it is missing out on quite a bit.

Long story short, a modern web browser can typically run javascript, java, actionscript 2, actionscript 3, and pdf javascript. ( .net runtimes coming soon.)
All those languages have some kind of bridging abilities available to send data and events to each other.
As a result, the *real* security model/sandbox your code runs in is the union of the security models of each environment available in a given browser.
Often, that resulting security model is widely different from what each environment designer was considering.

Note that this is *not* about specific bugs in a particular implementation, since those are typically short-lived.

As a small example, consider the early interactions between the java sandbox (there shall be no network traffic with hosts other than the applet serving host) and the javascript sandbox (you can initiate HTTP,HTTPS,FTP,GOPHER,... requests to any host you want, but you can't always see the response.)
Now add the more recent flash sandbox (you can establish full binary sockets to any host you want as long as you can first locate a policy file on that host that allows for it) and you start to have an interesting variety of options when it comes to networking abilities.

My suspicion here is that the number of coders that know each bridged environment fully is quite small, and as such web applications are designed and written by people who suffer from tunnel vision and assume their sandbox is restricting/protecting them more than it really is.
This is likely to have rich security implications.

Options: ReplyQuote
Re: What would you like to see?
Posted by: ejfarraro
Date: October 06, 2006 11:30PM

By 'almost all', I mean that some of them were way over my head. I'm definitely not as familiar with this type of stuff as some people, but I would say that all of the articles are interesting reads.

Options: ReplyQuote
Re: What would you like to see?
Posted by: metal_hurlant
Date: October 07, 2006 06:33AM

Following up on my little blurb on how the real web app sandbox is wider than the sum of its parts, here's a first shot at looking at one of those parts:

http://metal.hurlant.com/jexplore/ Edit: got rid of the geocities url.


This will only work on gecko browsers with java installed.
It's an exploration/experimentation tool that allows one to investigate what is available/possible from the java sandbox standpoint.

Warning: it's very very easy to crash firefox with it. If that's not your kind of fun, be careful not to move the mouse pointer between the moment you click on a class, and the moment the class is loaded.

Using it, I've already found a vulnerability in JRE 1.5 that gives access to some local resources, so it definitely has its uses.



Edited 1 time(s). Last edit at 10/07/2006 11:31PM by metal_hurlant.

Options: ReplyQuote
Re: What would you like to see?
Posted by: saphil
Date: October 30, 2006 07:56PM

There is so much here that I haven't read yet. Give me a year and I MIGHT have some ideas for new stuff.

Things I would like to see, generally, but which I haven;t found yet.

1) how to article for Snort linux..
specifically how to make useful filters

2) what can't you do with Nessus?

3) other tools for technicians and security testing.

4) ways to lock down sites vulnerable to xss

proud [' or 1=1 dot com] member

Wolf

PS.. Pie

Entropy Requires no Maintenance



Edited 1 time(s). Last edit at 10/30/2006 07:57PM by saphil.

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: October 30, 2006 09:09PM

All good ideas... id might be able to help out with the snort question. He's away today but should be back tomorrow. We discuss tools quite a bit (mostly open source with a few occasional mentions of non-open source) but I'll think about that one. I don't mention nessus much because I really stopped using it about 5-6 years ago. It is good for certain things but certainly not the black box custom penetration testing that I focus on (and as such it's not good for the security theory that we talk about on the labs). But it's probably time that I downloaded it again and refreshed my memory on the ins and outs.

#4 is the real trick though, isn't it. It's an ongoing battle, but we are definitely on the forefront here and trying to battle it - one bug at a time!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: What would you like to see?
Posted by: saphil
Date: October 31, 2006 07:28AM

#4, I keep thinking may only be solved by rising above the level where the problems exist, like Fuller is reputed to have said. Though it is not trivial to kill each exploit 1-by-1-by... Wouldn't it be cool if superclasses containing classes of exploits could be blocked by designing at a level containing the superclass of exploits.

Something like rewriting the classical c libraries containing variables without boundary parameters (that allow buffer over-runs) so they all have the same names and have the same normal outputs, but when a buffer over-run is done, have handlers to keep the condition from happening.

Or devise a successor to the TCP stack that is not based on trust and authentication.

For the last few years I have found myself in a niche where I am doing support for businesses, developing portals and intranets, and writing a lot for intelligent business executives who need to know enough about networks and security that they are not taken for an expensive ride by salespeople with fearful tales. I am writng a primer for network security students, and in doing so have found that much of the information in texts and on the internet is outmoded and that exploits like the "Ping-of-death" or source-routing which strike fear into my readers (or cause them to get all excited and infused with power) are not very useful and fall into the voluntary category of exploits along with turning your firewall off because a c-level exec thinks it interferes with the speed of email delivery, or leaving your new hummer unattended, running with the door open outside a high-school.

Entropy Requires no Maintenance

Options: ReplyQuote
Re: What would you like to see?
Posted by: rsnake
Date: October 31, 2006 10:12AM

Well the superclass to XSS is HTML and JavaScript. I know that sounds stupid, but really the only way to effectively turn it off is to remove those things from the equation. Either stop them from rendering or stop them from being outputted on a page. Whether that's through encoding tricks, stripping strings or isolating the output to a benign location, I think we've heard it all. The main problem is that although we've isolated most of the output that causes the XSS to fire, we haven't isolated all of the vectors yet. There are simply too many new things (technologies and bugs) that make finding a super set of the vectors themselves nearly impossible (look at UTF-7 and US-ASCII for examples).

We can try changing the output in certain ways like Ambush Commander's code has, but that still leaves other things like header injection, JavaScript injection, etc... It simply isn't a catch-all.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.