Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 

Current Page: 1 of 1
Results 1 - 16 of 16
6 years ago
EWSec
<soapbox> Ha! The Great Hadron Collider will once and for all put to sleep the ridiculous theories of "dark matter", "dark energy", "black holes" and other similar pseudo-scientific nonsense that exists solely to patch up their incompetency as scientists. For anything they don't understand, they invent ridiculous math-only models that have NO, and I repeat
Forum: OMG Ponies
6 years ago
EWSec
@Gareth, TP-Link Wifi thingy.... I googled to see if there is a relationship with Netgear, one page said it's actually a Netgear brand, but the funny thing is that Google warned me not to visit tp-link.com as it may contain malware.... Ok, now THAT got my attention. Is there a known vuln with these toys?
Forum: News and Links
6 years ago
EWSec
Try OR 1=1
Forum: SQL and Code Injection
6 years ago
EWSec
The first step in avoiding a trap is knowing of its existence. -- Mentat Tufir Hawat. The first step in hacking someone is knowing their router model. -- Tinfoil-Hatter In other words, I ain't gonna tellsya my router vulns. But I'll tellsya it protects itself with HTTP-Auth. That's good, right?
Forum: News and Links
6 years ago
EWSec
LoL! Try googling for "guestbook", then jump to a high page number, say 10. Google will sport an error page accusing you of being a malware. :) Or try a direct URL like: h77p://www.google.com/search?q=guestbook&hl=en&start=120&sa=N
Forum: OMG Ponies
6 years ago
EWSec
Hehe.... I bet some of them are honeypots.
Forum: Full Disclosure
6 years ago
EWSec
In response to this post: http://ha.ckers.org/blog/20080202/subversive-js-for-filesharing/ Well... intrigued by the idea, I started writing a demo application, as time permits. So, my design defines the following parameters: 1. The "client" is a machine to which a file needs to be delivered. The client knows which files exist on the server and/or periodically updates the list.
Forum: XSS Info
6 years ago
EWSec
Yeah, I called them (the bank), even sent an email to their IT department. The guy I was talking to actually pretended to care and understand the issue, asked me to elaborate everything and suggest actions to be taken. I believe he was not even in the mood to give me the first four points of your list, Thrill. :) But then again, I really don't care. I don't allow GA scripts so any attack from t
Forum: XSS Info
6 years ago
EWSec
Ash nazg durbatul√Ľk ... so basically, we're waiting until "burzum-ishi krimpatul", LoL! But this is not funny! Really. Something has to be done. ;)
Forum: XSS Info
6 years ago
EWSec
Hehe, yeah, it has the ability to turn interwebs into lolwebs. :) Perhaps next year something like that will happen. This year is reserved for patent wars, given how the year started. Next year, the social networking and various APIs will be mature enough and widespread that hacking entire net will become much easier. It is incredible how many sites use Google Analytics. I never noticed it b
Forum: XSS Info
6 years ago
EWSec
Yeah... that's true. But if anyone has access to the hashes, s/he is in position to inflict far greater damage, rendering the salt a trivial protection.
Forum: CSRF and Session Info
6 years ago
EWSec
Yeah if you had just a hash and nothing else, which is an "ideal" lab condition. But in the context of web apps and their interaction with databases, there are (at least) two channels to "attack" a password: 1. Using the login form processor -- but whatever you supply there will be combined with salt anyway, so having it or not having it is all the same for this channel.
Forum: CSRF and Session Info
6 years ago
EWSec
One can use database-based sessions. If you're on shared host that means you don't have enough traffic to warrant dedicated host, so a query per hit won't be too much of an overhead. If you're on dedicated, then you don't have problems default with file-based sessions, or you can use memcached or apc to speed up session handling. Speking of your original question and security for returning u
Forum: CSRF and Session Info
6 years ago
EWSec
I'm posting this under CSRF and Sessions, because I didn't know where else. :/ I don't get it. What's the point of salting passwords, in the context of webappsec? Client-side salting makes no sense, and server-side is pointless because it has to be stored somewhere, associated with the password, so if anyone breaks into the server, they can see the salt, so it breaks the purpose... Perso
Forum: CSRF and Session Info
6 years ago
EWSec
Come to think of it, the problem is actually very serious, including the adwords that you mention. Because one does not need to hack the server. All it takes is to hack victim's nearest DNS node (or ISP's DNS cache) and patch google's domain names to arbitrary, infected IPs.
Forum: XSS Info
6 years ago
EWSec
Hi all! One question. I just realized that my online banking system (belonging to the bank where I'm a client) is using Google Analytics javascript. The system is actually loading up the ga.js from google-analytics.com, even though via HTTPS. So... how pissed should I be, and should I call them and start yelling? :) I mean, anyone at Google can modify the script and "insert" mali
Forum: XSS Info
Current Page: 1 of 1