Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 19 of 19
4 years ago
_Andy
Thanks for the reply. Am I right in thinking that in that situation it would be the 'consumer' of the PDF that would be at risk, rather than the server itself? Not that that isn't a problem too of course. :]
Forum: OMG Ponies
4 years ago
_Andy
Hi there. Sorry for what's probably a stupid question but.. I vaguely remember when I was a kid (a looooong time ago) I had a tool that seemed able to embed an executable or a command line argument into a trusted file, so that when the trusted file was ran the exe/cmd line was executed. The reason I'm asking is that a webapp one of our guys is putting together allows users to upload PDFs and I
Forum: OMG Ponies
4 years ago
_Andy
Hrm. I've just kicked off a spybot run, it deleted the temp files as usual and then a minute or two later I retried google.com and it's no longer serving the JS. Weird.
Forum: OMG Ponies
4 years ago
_Andy
Or, do what some chinese guy/group did on the full disclosure mailing list. Make a fuzzer, but host it online. Market it as 'the best free fuzzer' etc in all the usual sec places. Have people go to your site, point it towards their insecure LIVE sites, sit back and watch as all these 'security specialists' populate your datastore with huge lists of their live XSS/SQL inj holes. When I saw
Forum: OMG Ponies
4 years ago
_Andy
Typing 'google.com' into the address bar forwards me to google.co.uk and my noscript alerts me that JS is being blocked. I check the alert and this is what it shows. That's a new one on me.
Forum: OMG Ponies
4 years ago
_Andy
Thanks for the reply. I've repeated it again this morning and the hashes are the same for all of the values I tried. It's probably worth trying from a different IP though, I hadn't considered that. Out of interest, I'd originally assumed the hashes would be unique to each transaction, so you wouldn't be able to do something like this. Is that right, or am I getting it confused with somethi
Forum: CSRF and Session Info
4 years ago
_Andy
I found a trivially located hack in a site I'm testing. Basically at one point data is sent to the server that includes a 'price' value and a 'price_hash' value. Now, if you mess with the price value you get the expected error due to the hash. However if you put through an order for £10 worth of goods, record the hash, restart, fill up with huge amounts of product then replace the new price
Forum: CSRF and Session Info
4 years ago
_Andy
That makes perfect sense. Unfortunately . hxxp://domain/ShowTXT.aspx?name=prefs.txt%00 doesn't return anything (errors are supressed)
Forum: SQL and Code Injection
4 years ago
_Andy
Hi there I have an injection of the form . hxxp://domain/ShowTXT.aspx?name=<textfilename> This is being used as something like FileStream fs = File.Open(textfilename & ".txt") that's then sent to the browser. Eg . hxxp://domain/ShowTXT.aspx?name=prefs or . hxxp://domain/ShowTXT.aspx?name=../TXT/prefs will return me the prefs.txt file. Do you th
Forum: SQL and Code Injection
5 years ago
_Andy
barbarianbob Wrote: ------------------------------------------------------- > Try putting in a \ > If it's not escaped, you might have an entry > point. > Also, how do you know it's being converted? Do you > see the created query? > Is the password the same as you type in, or is it > hashed? Hi there, thanks for the response. I'll try escaping with \ but I had
Forum: SQL and Code Injection
5 years ago
_Andy
Hi there. I have the following SELECT * FROM Users WHERE ID ='<Username>' AND Password='<Password>' However, the validation is replacing ' with ''. This seems like it shouldn't be too tricky to work around, but I've been trying to think of a way to escape them or put something in there that doesn't require them and come up blank so far. Any ideas?
Forum: SQL and Code Injection
5 years ago
_Andy
It looks like the query is using a read only account and so xp_cmdshell wasn't being enabled. Though, I think the permissions in the live environment may well have write access so that's good enough to beat the devs with. :) Thanks very much everyone, your help's much appreciated and should definitely help me demo the theory.
Forum: SQL and Code Injection
5 years ago
_Andy
I've just tried wireshark to try and detect the ping, but it's not picking up any ICMP packets, which I _think_ the ping should come under.
Forum: SQL and Code Injection
5 years ago
_Andy
Hi there, I'm a novice at this, so bear with me. I've found a blind SQL injection hole in one of our websites. I used 1';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;waitfor delay '0:0:30';-- to attempt to enable xp_cmdshell. Now, I need to try and confirm that it's active. I used 1';exec master..xp_cmdshell 'dir+c:+>+c:\
Forum: SQL and Code Injection
5 years ago
_Andy
ARGH! :D I tried something like that on Firefox with no luck. I thought it could be an IE-specific thing but for some reason IE won't let me view source on that stage and so avoided it hoping I'd manage something in FFox. Just so I'm right in my thinking, the `` deals with the value (attribute) value, and / is being accepted as a delimiter allowing you to put the event in? Also, is it the
Forum: XSS Info
5 years ago
_Andy
I know this is a bit old, but does anyone know the solution for stage 12? ( http://xss-quiz.int21h.jp/stage_no012.php? ) I had no trouble with the others but can't seem to get past this one and it's driving me nuts.
Forum: XSS Info
5 years ago
_Andy
Hi there. I'm helping locate vulnerabilities on one of our old sites and found something I thought worth having a double-check of. For the URL hxxp://server/Login/error.aspx?Mesg=URL_INSERTED_MESG&Type=System.FormatException it echos the text to the page as follows <span id="lblMesg">URL_INSERTED_MESG</span> It would seem a likely entry point, however f
Forum: XSS Info
6 years ago
_Andy
A little more info hxxp://site.com/index.php?param1=2&param2=5%20union%20select%20*%20from%20BAD_TABLE_NAME Gives "Database query failed: Table 'db.BAD_TABLE_NAME' doesn't exist hxxp://site.com/index.php?param1=2&param2=5%20union%20select%20*%20from%20GUESSED_TABLE_NAME Gives the original page
Forum: SQL and Code Injection
6 years ago
_Andy
Hi there. A friend (new to web development) asked me to take a look at his site. The only entry point I can see is a URL paramter he uses in the form... hxxp://site.com/index.php?param=1 Using hxxp://site.com/index.php?param=foo gives "Database query failed: Unknown column 'foo' in 'where clause'" Using hxxp://site.com/index.php?param=1' or 1 = 1
Forum: SQL and Code Injection
Current Page: 1 of 1