Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 

Current Page: 1 of 1
Results 1 - 28 of 28
4 years ago
ManJIT
Just because this thread is quiet doesn't mean we have no competing rootkits. But people seem to prefer submitting the last minute (they've emailed me). Let's hope we get some nice submissions April 20. BTW: The full conference program including abstracts is published. Check it out: http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden The winner of this compo g
Forum: OMG Ponies
4 years ago
ManJIT
<drumroll> The 10th OWASP AppSec Research 2010 Challenge is here! Only three chances left to win tickets. </drumroll> It's time to write an Enterprise Java rootkit. Your assignment is to be the evil developer who implements and hides a backdoor in a Java servlet. We've implemented a very simple login web application and exported it as an Eclipse project that you can download. It's a
Forum: OMG Ponies
4 years ago
ManJIT
Hi all! Long time no message. But the judges of the OWASP AppSec Research 2010 OC have decided to give first price to Thornmaker. This really was a nice compo. And I will use the polyglot to demo stuff. With due credit of course. Congratulations to winning a free ticket, Thornmaker. See you at the conference this summer! http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_S
Forum: OMG Ponies
4 years ago
ManJIT
And we have a winner! sundancekid gets the hundered with the last password "winna". Congratulations and a warm welcome to the conference in Stockholm, June 21-24. We'll get in contact with you regarding registration. Sundancekid 108 points Thornmaker 99 points Ethicalhack3r 1 point Thanks everyone for the hard work and exciting end!
Forum: OMG Ponies
4 years ago
ManJIT
@sundancekid I browsed some BC version comments and there might (have) be(en) such issues. That's why we wanted to publish the exact code and BC version we produced the hashes with.
Forum: OMG Ponies
4 years ago
ManJIT
@chosi No, mixed alpha is a-zA-Z. åäöÅÄÖ are nice though :).
Forum: OMG Ponies
4 years ago
ManJIT
@sirdarckcat, @chosi I also tried with my default locale (sv_SE), US locale (en_US), and UK (en_GB) and I get the same result.
Forum: OMG Ponies
4 years ago
ManJIT
@sirdarckcat If I replace the strToHash on line 70 with the correct password the boolean expression in the conditional on line 71 becomes true. My workspace is set to UTF-8 if that helps.
Forum: OMG Ponies
4 years ago
ManJIT
@Reiners hasher.convertToUpperCaseHex(hasher.gost3411.digest("jZbTapryL".getBytes())) = E375ED0770C66195B6566987B41EF4B071F4EB5316B67D9638D4934CD3436DE8 != 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971 ... according to the Java code supplied. So as far as I can see the compo is still open.
Forum: OMG Ponies
4 years ago
ManJIT
Phew, that's fast! But I can only confirm the cracked hashes. So we have pwd8 left to break -- GOST3411(pwd8 + "pryL"). Current standing: Thornmaker 99 points Sundancekid 8 points Ethicalhack3r 1 point ... and the final hash (GOST3411) gives 100 points so it's still an open game!
Forum: OMG Ponies
4 years ago
ManJIT
Yes, MD4(pwd3+pwd2) = lOOpGnu, so sundancekid earns another 5 points for a total of 8 points.
Forum: OMG Ponies
4 years ago
ManJIT
Yes, MD2(pwd2+pwd1) = GnuOWASP, so sundancekid earns 3 points. Good work!
Forum: OMG Ponies
4 years ago
ManJIT
Yes, LM(pwd1) = OWASP, so ehticalhack3r earns 1 point. As stated above -- the first one to publish a certain password *here* on sla.ckers earns the points. The email to me (John) is just to track progress and correct any misunderstandings. Good luck with MD2!
Forum: OMG Ponies
4 years ago
ManJIT
February's AppSec Research 2010 challenge is about breaking hashed passwords. It starts off easy with the old LM hash and ends with SHA256 and GOST3411. http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges *** How To Win (with a twist) *** The first one to publish each broken password gets points according to the table below but at the same time helps
Forum: OMG Ponies
4 years ago
ManJIT
@sirdarckcat More or less. But we didn't want to focus the rules to hard on file size since that would just make it into a gif compression challenge. So, we give you a list of increasingly complex payloads to squeeze into the gif without it _growing_ in size. If your gif is smaller than everyone else's, or if you manage to fit in even more JavaScript features in it -- well, I'm impressed! I
Forum: OMG Ponies
4 years ago
ManJIT
... and the first Google hit you get for "polyglot gif" is Jasvir's blogpost. ... and the second link in his blogpost points to the howto article. So no harm done IMHO.
Forum: OMG Ponies
4 years ago
ManJIT
We can take away the link but now you guys have seen it :). We just thought it would seem too hard if we didn't provide som guidance. Another cool thing with this challenge is that this polyglot will be a really cool showcase for talks on input validation and XSS. Your users are allowed to upload gif images but not JavaScript. Then someone uploads a polyglot ...
Forum: OMG Ponies
4 years ago
ManJIT
This is the official thread for OWASP AppSec Research Challenge 8 where you're supposed to consturuct an OWASP polyglot -- a gif image that can also be run as JavaScript! Show image: <img src="owasp_logo.gif"> Run script: <script src="owasp_logo.gif"></script> Rules and howtos here: http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_
Forum: OMG Ponies
4 years ago
ManJIT
You can email martin.holst_swende at owasp dot org. /ManJIT (aka John the conf chair)
Forum: OMG Ponies
4 years ago
ManJIT
OK, the October challenge is closed and we have at least two really cool effects. Be sure to join the conference mailinglist (https://lists.owasp.org/mailman/listinfo/appsec_eu_2010) if you want to know how this challenge ends _and_ hear about the coming challenges. /John
Forum: OMG Ponies
4 years ago
ManJIT
@sirdarckcat Some nice refinements there. Yeah, the star effect looks better than the circle. Works nicely in my FF. A rumor has it that TommyM is working on something really cool. He's been asking about games and someone said "sound" :P.
Forum: OMG Ponies
4 years ago
ManJIT
@sirdarckcat Version 3 is looking good. It's fine if it only works in FF 3.5 (that's what we stated in the rules). But I use Safari as my default browser so I just noticed the fireworks didn't work there.
Forum: OMG Ponies
4 years ago
ManJIT
FireworksIsNotABrowser_v2.js was cool. Did you copy-paste that one too? :P I guess not since you worked it out with the view over Stockholm Old Town. Works fine in my FF but not in Safari. Wonder why?
Forum: OMG Ponies
4 years ago
ManJIT
AFlyFlyingOverSweedenWithLettersOrbitingAroundItOhDidIEverToldUGuysThatILikeLongNamesYeahhhhhhhhh_v1.js is really nice (although currently to many chars)! A pity the letters are anti-aliased for white background. Maybe we should fix that ...
Forum: OMG Ponies
4 years ago
ManJIT
The Challenge 5 tab is the official test page. Nice work! Not really smooth on my MB Pro 2,33 GHz, FF 3.5.3 though.
Forum: OMG Ponies
5 years ago
ManJIT
Works fine with the link but not when I paste it in the URL bar for the AppSec Research 2010 wiki page. I haven't spent time investigating why though. Safari 4.0.3 on a Mac. Anyway -- a nice effect! And you have another 1000 chars to spend :).
Forum: OMG Ponies
5 years ago
ManJIT
Some 8-bit music along with that and I'll feel like a young teenager again :). Yeah, games are OK. But they'll be judged on gfx, originality, and coolness since we need to compare them with the gfx effects.
Forum: OMG Ponies
5 years ago
ManJIT
Yes, SVG is alright. /MJT (aka John Wilander, conf chair)
Forum: OMG Ponies
Current Page: 1 of 1