Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 45
4 years ago
Inferno
Hello my fellow ha.ckers, I wrote a post on PDF files embedded with internal disk paths arising from use of IE for printing. More info here - http://securethoughts.com/2009/11/millions-of-pdf-invisibly-embedded-with-your-internal-disk-paths/
Forum: Full Disclosure
4 years ago
Inferno
Thanks @Ronald for appreciating my work. MHT is quite an interesting extension :).
Forum: Full Disclosure
4 years ago
Inferno
Another issue i found in chrome, that can be used to steal files using other browsers... http://securethoughts.com/2009/11/using-blended-browser-threats-involving-chrome-to-steal-files-on-your-computer/
Forum: Full Disclosure
4 years ago
Inferno
thanks @tx for your feedback.
Forum: Full Disclosure
4 years ago
Inferno
Hello my fellow ha.ckers, I just completed writing another post on exploiting Opera's feed subscription page. Details here - http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicious-rss-payloads/
Forum: Full Disclosure
4 years ago
Inferno
Hello my fellow ha.ckers, I just completed writing a post on XSS issues in Google, Opera RSS feed readers - http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomrss-reader-with-script-execution-and-more/
Forum: Full Disclosure
5 years ago
Inferno
Hello my fellow ha.ckers, i just completed writing a post on 11 vulnerabilities I found in Opera Unite - http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/
Forum: Full Disclosure
5 years ago
Inferno
Hello my fellow ha.ckers, this is a vulnerability i found while looking at the owasp xss prevention cheatsheet and esapi. http://securethoughts.com/2009/08/bypassing-owasp-esapi-xss-protection-inside-javascript/ if you find more issues, feel free to share in this thread.
Forum: Full Disclosure
5 years ago
Inferno
Hello my fellow ha.ckers, this is an issue i got fixed in safari 4 browser today with latest update 4.0.3. using this vulnerability, you can inject phishing sites into the flashy top sites feature of Safari 4. Check it out here - http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/
Forum: Full Disclosure
5 years ago
Inferno
script tags don't work, but img src onerror works chrome://history/#q=%22%3E%3Cimg%20src%3D%22%22%20onerror%3D %22javascript%3Aalert(5)%22%3E but when i try to put this in an iframe or try to open a window with this url, it does not work. so, don't see how to exploit this, unless you convince someone to type it :(, also tried compressing url, it does not work - http://tinyurl.com/nxeux2
Forum: XSS Info
5 years ago
Inferno
Firefox 3.5+ version (Original): http://ha.ckers.org/blog/20090720/xmlhttpreqest-ping-sweeping-in-firefox-35/ IE8 version : http://securethoughts.com/2009/07/rsnakes-javascript-ping-sweep-attack-extended-for-internet-explorer-8/
Forum: Full Disclosure
5 years ago
Inferno
3x.thanks mario for posting
Forum: CSRF and Session Info
5 years ago
Inferno
@sirdarckcat - thanks for improved PoCs with pure CSS. @rvdh, i do google things before writing them up. believe me or not, the concept was not discussed anywhere else before. people knew the history hack to check visited websites only. If you still don't believe, try to find this PoC in google - http://eaea.sirdarckcat.net/css-sib/urlbruteforce.php. What i should have done is to improve my
Forum: CSRF and Session Info
5 years ago
Inferno
Gareth, I am getting your point now, with the last PoC it was a little unclear. So, yes, my PoC can be improved to be pure CSS based without js. However, i still feel that pure CSS attack might be more problematic because your html file size will be very long, since it will contain all the brute force values. a base16 5 length long token will have key space 1048576. Any way to overcome this
Forum: CSRF and Session Info
5 years ago
Inferno
@Gareth, I think you are missing the point in my attack. Sirdarckcat's work is on a entirely different side and it requires active css injection in the form page. My technique is based on css history hack by Jeremiah and it does not require any injection. Thanks, Inferno
Forum: CSRF and Session Info
5 years ago
Inferno
@Gareth, thanks for pointing this ! using CSS PoC is better than my javascript, and works even when someone completely disables javascript :). can you please share the source code for this php page - http://sla.ckers.org/files/css_tokens.php. can you please put a download link here or send to my email id Inferno {at} SecureThoughts.com
Forum: CSRF and Session Info
5 years ago
Inferno
For nonces, it depends. Many systems allow older nonces in the active user session to support back and forward browser buttons. If that is the case, then yes, this technique would work. Otherwise, no.
Forum: CSRF and Session Info
5 years ago
Inferno
Hi Ha.ckers, i came up with this idea of brute forcing csrf token using css history hack and want to get your opinions on it. currently it works ok to brute force tokens of 5 chars length, might be feasible in future for longer tokens - http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/
Forum: CSRF and Session Info
5 years ago
Inferno
More Information here - http://securethoughts.com/2009/06/phishing-with-url-obfuscation-continues-in-safari-4/
Forum: Full Disclosure
5 years ago
Inferno
@Matt, Mario - thanks for your feedback. @Mario - i think they truly deserve the award of protecting their users via SSL (Insecurely though :)). I hope they fix this soon as one of the users on my blog commented that LogMeIn is used in lot of places by IT Companies for fixing remote client problems.
Forum: Full Disclosure
5 years ago
Inferno
I have found some severe vulnerabilities in LogMeIn software that can be used to read any file on disk, restart your comp, etc. More information is available on my blog article - http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/
Forum: Full Disclosure
5 years ago
Inferno
Hi Alex, I have analyzed their patch and the only thing they do is move the meta tags before the title tag to prevent any utf-7 injection. I don't think browsers ignore the utf-8 specified in the http response headers, otherwise there could be tons of security issues to exploit :). + * Make any final alterations to the rendered xhtml. + */ +function drupal_final_markup($content) { + //
Forum: Full Disclosure
5 years ago
Inferno
@Gareth, I think my question was a little confusing, sorry about that. My POC is based on cross domain redirects and you can inject utf-7 strings on any site, as kuza55 said. the question i had was that this attack requires that a user visit a evil site. i think this might be considered less likely as compared to a user clicking a link on his trusted domain. So, I thought that finding a op
Forum: Full Disclosure
5 years ago
Inferno
@Gareth - thanks for your compliments. i also wanted to get some suggestions from you, other hacker folks on exploitability scenarios for this. I see secunia earlier advisories on utf-7 charset inheritance attack was 'less critical' , However, i feel that if I find a open redirection flaw on the same vulnerable site, then the exploitability level becomes similar as reflected XSS attack.
Forum: Full Disclosure
5 years ago
Inferno
Hi Ha.ckers, I have been able to exploit the utf-7 charset inheritance fix that was done in IE8. More information is available at my blog - http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/
Forum: Full Disclosure
5 years ago
Inferno
@digi7al64 - thanks for your comments @Gareth - Thanks a lot. I realised this after i put it in the bug category :) BTW, is there a way to change category after writing a post?
Forum: Full Disclosure
5 years ago
Inferno
Hi Hackers, Google just fixed a universal xss that i reported. It was in a python script that was common to most Google services. More information here - http://securethoughts.com/2009/05/universal-xss-vulnerability-in-all-google-services-can-compromise-your-personal-information/
Forum: Full Disclosure
5 years ago
Inferno
I remember that Firefox has a download file popup which has an option to perform automatic file opening in the future. If the user has that attribute set, then that file will open automatically in firefox. However here, content type is set to text/plain, so it won't execute as html in firefox. So, no issue for firefox in my opinion. This is what I want to say - http://www.gnucitizen.org/blog/cont
Forum: XSS Info
5 years ago
Inferno
I think this functionality might be customizable in their enterprise PAID product, which is WebInspect.
Forum: XSS Info
5 years ago
Inferno
Hi Ha.ckers and Sla.ckers, HP's SWFScan tool does not find simple xss issues found by tool SWFIntruder. More Information on my blog http://securethoughts.com/2009/04/hps-swfscan-does-not-find-simple-xss-in-flash-apps/ Has anyone tried any other flash testing tools, other than swfintruder and flare and want to share their experience.
Forum: XSS Info
Pages: 12Next
Current Page: 1 of 2