Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 56
5 years ago
Delixe
Unfortunately, PHP applications do not permit multiple queries like that.
Forum: SQL and Code Injection
5 years ago
Delixe
Hey there guys, I was having trouble with something the other day, how exactly can you do any useful SQL Injection with a query that is like: SELECT * FROM table WHERE title LIKE '%asdf%' GROUP BY some_field ORDER BY some_field_2 ASC LIMIT $limit where the injection point lies in $limit. You cannot do a UNION because you need to have both subqueries wrapped in parenthesis since an O
Forum: SQL and Code Injection
5 years ago
Delixe
Thought you might be interested: http://www.sociablecode.com/2008/05/15/opensocial-a-global-unparalleled-security-risk/
Forum: News and Links
6 years ago
Delixe
You can paste and try this to see my PoC slowly getting more interesting... "><script src="http://outquib.com/js/xss.js"></script>
Forum: XSS Info
6 years ago
Delixe
I found a fairly simple XSS vulnerability in facebook just now. This vulnerability appears to be in their politics application (http://www.facebook.com/politics/index.php). On facebook, they have a feature called the sound board, quite similar to status updates. Pasting the vector: "><script>alert('test');</script> within the sound board creates a possible XSS vector on y
Forum: XSS Info
6 years ago
Delixe
updated it. thanks, wow stupid me and the ent_quote issue heh
Forum: XSS Info
6 years ago
Delixe
Hey guys I made a class to easily secure output in your views for PHP: <?php /* * @author: Suhail Doshi * Created: 12/12/2007 */ class SecureHelper { public $ent_quotes = true; public $all_entities = true; public $charset = 'UTF-8'; /* * @param mixed $data Can be an array or any value possible in PH
Forum: XSS Info
6 years ago
Delixe
Try: <sc<script>ript<script>>javascript:alert('test');</sc</script>ript</script>> Or something of that nature.
Forum: XSS Info
6 years ago
Delixe
So a wysiwyg generally outputs HTML and POSTs it onwards. In will generally create <td>, <b>, <img>, etc tags. How exactly do you go about securing this without destroying how the content looks ni the HTML?
Forum: XSS Info
6 years ago
Delixe
Apparenetly CakePHP has an implementation that strips away but keeps the HTML intact: http://api.cakephp.org/1.2/helper_8php-source.html#l00214 00694 function __clean() { 00695 if (get_magic_quotes_gpc()) { 00696 $this->__cleaned = stripslashes($this->__tainted); 00697 } else { 00698 $this->__cleaned = $this->__tainted; 00699
Forum: XSS Info
6 years ago
Delixe
I don't think it's fair to test it's security at this point, I think full disclosure is fine but they are really saying it's an alpha--they expect holes.
Forum: Full Disclosure
6 years ago
Delixe
PoC -> http://opensocialdemo.ning.com/profile/Suhail Image: My Profile -> Account -> City It's vulnerable in the City field with the vector "><script>alert(document.cookie);</script> Ning is supposed to be closing it in the next round of patches I believe.
Forum: Full Disclosure
6 years ago
Delixe
How is the feedlist everyone?
Forum: News and Links
6 years ago
Delixe
Now would be a good time to check out the feed list and watch the news roll in in like crazy throughoutt he week, enjoy everyone! This was actually made for you and me a while ago when I was fed up of reading 10+ blogs. =)
Forum: News and Links
6 years ago
Delixe
There will be shortly to registered users to get a personalized feed based on the interests you provide actually.
Forum: News and Links
6 years ago
Delixe
Same here, I read your blog avidly. I even indexed it on my site. I remember you providing some funny advertising for my site fiercefeeds.com remember?
Forum: News and Links
6 years ago
Delixe
I agree but I found that, that is the best way to do it. Some feeds do not provide you a timestamp unfortunately. Edit: A correction has been made, from now all feeds inputted will retain a timestamp if provided, if not they are given our own timestamp. This should fix all future problems.
Forum: News and Links
6 years ago
Delixe
Oh I am sorry, I just added a few more feeds on saw on this website from a few people. When I added the feed it indexed all their content. Believe me you do get fresh new content, I just added a few new feeds that's all. It starts off pretty new here: http://www.mixpanel.com/search/category/Security/default/4 ^ that's going to change as we index more stuff in a few hours though I am sure.
Forum: News and Links
6 years ago
Delixe
Hey guys, I've created a massive feed list of hacking related blogs that stay on topic all the time: http://www.mixpanel.com/search/category/Security If you need news quickly throughout the day, feel free to hit that up--I know it can be cumbersome to visit 5-10 different blogs a day. If you see a feed that you read about all the time that's not there, feel free to submit it on the websit
Forum: News and Links
6 years ago
Delixe
screw it all, go django!
Forum: News and Links
6 years ago
Delixe
Well, I was wondering how long it would take but it finally happened: Syngress.Cross.Site.Scripting.Attacks.XSS.Exploits.and.Defense.May.2007-BBL.torrent Your book is going to be spreading around like wild fire: Cross Site Scripting Attacks starts by defining the terms and laying out the ground work. It assumes that the reader is familiar with basic web programming (HTML) and JavaScript.
Forum: News and Links
7 years ago
Delixe
ha I got a working XSS vector on IE7 at the least. It's actually quite funny how, apparently, IE7 actually gets screwed with: xx:expression(alert(1111)); It appears that the browser gives the message box complete control and continuously pops up. You have to actually end task IE7 just to get it working again. Cute DoS to the user with this XSS vector. I don't know if it's facebook or the vec
Forum: XSS Info
7 years ago
Delixe
Yes but how is possible to execute any XSS without a native <script> tag? I can't use the < in my URL, it gets stripped completely.
Forum: XSS Info
7 years ago
Delixe
Could you elaborate how this could be used maliciously, I am not seeing the light...
Forum: XSS Info
7 years ago
Delixe
A site I know is fairly vulnerable, namely called Facebook :P. Unfortunately, facebook is smart enough to some extent that it filters the < character. Is there anyway to bypass this or do I need to move on?
Forum: XSS Info
7 years ago
Delixe
Think of Apollo as a new type of application framework. Instead of having to know .NET, C/C++, Java, web developers have been linked to the desktop through Apollo by being able to create applications in about the same manner. I would definitely say you active desktop could easily be replaced by any Apollo Application and would increase in functionality by ten fold. You guys should really see th
Forum: News and Links
7 years ago
Delixe
Apollo is very interesting. I'd like to see what security issues it will have in the future. Right now I wouldn't take the time to learn it quite yet unless you're already developing applications in Flex. If you want to see some examples of Apollo Applications, feel free to check out my forum dedicated to Apollo: http://www.codeapollo.com (Shameless plug). I personally think Apollo is defini
Forum: News and Links
7 years ago
Delixe
Oh of course--I completely forgot about that. Thank you.
Forum: XSS Info
7 years ago
Delixe
Doesn't really do anything, I change the URL and nothing really occurs. Loads the site in an iframe and...nothing.
Forum: OMG Ponies
7 years ago
Delixe
Ah that implies that the XSS vector is on Digg's page where the token can even be found in the first place....Sounds like it's tough then if the XSS is on another page where the token is no where to be found...
Forum: XSS Info
Pages: 12Next
Current Page: 1 of 2