Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 42
4 years ago
clayfox
If you really want you're car to run, then learn how to fix it / how it works. If you don't do it yourself, then you are at the mercy of those who are likely to cut corners (web app developers and mechanics are actually great analogies). If you're okay with your car occasionally breaking down, then just go to the shop and let someone else handle it. If you're okay with occasionally being hacked
Forum: OMG Ponies
4 years ago
clayfox
Assuming that you log the victim into your account by storing a cookie on their browser (and not going through the login process via CSRF), you can restrict the path of that cookie to the page where the XSS hole is. Send them there while they are logged in as themselves (for the rest of the site) and you have an XSS jumping off point for CSRF attacks against their account.
Forum: CSRF and Session Info
4 years ago
clayfox
We could create a reality show called Ignorant Belligerence. To get on the show, people would have to pass several challenges. What we see here is one of those challenges and it is passed by believing that Facebook has actually turned into a news blog, it won't let them log in, and they post quite belligerently about it. Today on Ignorant Belligerence, our special individuals are blindfolded. L
Forum: News and Links
4 years ago
clayfox
I assumed that there were different logins for bugs.targetsite.com and www.targetsite.com, and that the victim was already logged into www.targetsite.com. If not, then CryingWolf isn't just crying wolf. ;)
Forum: CSRF and Session Info
4 years ago
clayfox
This flaw exists in most authentication systems I see, but I've had trouble convincing people (including myself) that it's really a problem. The attack can be just a CSRF which submits the attackers credentials to log in the victim and then redirects them to the site. Many to most authentication schemes don't have nonces in the login form. What attacks does this allow? I see a few: 1. Gett
Forum: CSRF and Session Info
4 years ago
clayfox
A simple fix for anyone currently responding with vulnerable JSON would be to wrap it in {"data":original_JSON}. This way it will always cause a SyntaxError when pulled in via a <script> tag. Anyone know any attacks on SyntaxError?
Forum: CSRF and Session Info
4 years ago
clayfox
Now I don't think you are understanding me. These JSON attacks are only related to responses that contain only JSON. JSON comes in two flavors for our purposes: either it starts with '{' or it starts with '['. Only the latter will be a valid js statement, so only the latter is attackable. The old attacks of overwriting the constructor are no longer valid since modern browsers don't use those co
Forum: CSRF and Session Info
4 years ago
clayfox
For the injected utf-7 encoded javascript to execute, the JSON returned (or really anything that is returned) must be valid js statements up to the injection point. So, other than in Opera, there aren't "known" javascript hijacking attacks in current browsers when the data returned is a js literal object (ie starts with '{') or when there isn't an injection point into the data returne
Forum: CSRF and Session Info
4 years ago
clayfox
Let me clarify my understanding of the attack. There is some JSON created which contains some data under the attacker's control and some other sensitive info. Somewhere <script src="json_location" charset="utf-7" /> exists. When it is hit, the XSS payload in the JSON will execute. I have to assume that the script tag is on a malicious site which a valid user has
Forum: CSRF and Session Info
4 years ago
clayfox
Either I am still not getting it, or the UTF-7 issue has nothing to do with javascript hijacking. Javascript hijacking is an attack to steal the data returned as pure JSON. The UTF-7 issue is an XSS attack. While the CSP workaround is cool, I don't think it is pertinent here. Opera being vulnerable is very pertinent. Does anyone know what versions of firefox and IE this is unpatched in? A
Forum: CSRF and Session Info
4 years ago
clayfox
I looked at the two links you provided. The twitter attack seems outdated (except in Opera), and I didn't follow the CSP/UTF-7 attack (mainly because I don't know what CSP stands for). What is CSP? Can you explain the UTF-7 attack which still works in firefox?
Forum: CSRF and Session Info
4 years ago
clayfox
In Firefox 3.5 ... Everything I read about javascript hijacking seems to be out of date (or was always wrong). Everything is saying overwrite the Object or Array constructor, but the object and array constructors don't get executed for literal object/array syntax. JSON: [["one","two],["a","b","c"]] <script src="page_returning_json"
Forum: CSRF and Session Info
4 years ago
clayfox
The 40 character string definitely screams SHA1. I think you were correct in thinking that the input is hashed with something else. That something else is often the IP address. Try hashing the in with the IP concatenated on the beginning or the end.
Forum: CSRF and Session Info
4 years ago
clayfox
If the domain and path of the cookie are set at a high level of generality and you have multiple subdomains, then you don't just have to worry about XSS in the domain in question, but rather all subdomains since they will all have access to the cookie.
Forum: CSRF and Session Info
4 years ago
clayfox
There should be a "be on your best behavior" sign for things like this. Just hang it in places where you don't want people to misbehave. Perfect security.
Forum: OMG Ponies
4 years ago
clayfox
You might try going at it from the opposite direction. Instead of stealing their cookie, you could store a cookie on the victim's browser, have them authenticate, and then use that cookie (Session Fixation). Having an XSS hole into anywhere within the domain (subdomains, sister-domains, superdomains) gives you the ability to store a cookie with the most-super domain which will then get submitte
Forum: XSS Info
5 years ago
clayfox
It might be easier to send No referer instead of a spoofed referer. Often referer checks are bypassed by sending no referers.
Forum: CSRF and Session Info
5 years ago
clayfox
@thrill- kno.ckers
Forum: OMG Ponies
5 years ago
clayfox
<rant> After some preliminary searching, I find that the FICO algorithm is proprietary. WTF! Also, I find a bunch of info saying that Equifax, TransUnion, and Experian use different algorithms. I also found sites saying that they all use the same FICO algorithm but potentially have different data points. My free-information hackles don't get raised at much, but they were going wild about
Forum: OMG Ponies
5 years ago
clayfox
A few random statments: - You say that it is put in the query string. The query string is everything in the URL after the question mark. Is this in the query string, or the POST body of the HTTP request? - If it is part of the request, then the obfuscation is happening on the client side. Do you have access to the page that the request is being sent from? If so, look for client side scripts.
Forum: CSRF and Session Info
5 years ago
clayfox
Wow! This should be fun. Looks like there is plenty to test. I'll report anything I find ... eventually.
Forum: CSRF and Session Info
5 years ago
clayfox
I was inspired by http://sla.ckers.org/forum/read.php?2,29547,29656#msg-29656 so I figured I would see if other "browser protocols" have exploitable pieces. I am posting here at the start of the idea. I would like to gather a list of the "browser protocols" out there and then test them for XSS, click-jacking, and CSRF attacks. I have started testing Firefox and Chrome.
Forum: CSRF and Session Info
5 years ago
clayfox
Nonce is the combination the words "Number" and "Once". A nonce by definition is only used once, otherwise it is generally referred to as a token or key. Systems that allow that sort of behavior are using tokens, not nonces.
Forum: CSRF and Session Info
5 years ago
clayfox
I don't think that will work for nonces, but for persistent tokens that could be a great idea. One problem with the usual brute force techniques is that your invalid attempts get logged. This would be a way around that since it wouldn't hit the site you are attacking, just the user. This wouldn't work for nonces, because they will only show up once they are used.
Forum: CSRF and Session Info
5 years ago
clayfox
Did the flash exploit add the "Set-Cookie" header to the response?! That would have been a global header injection attack, like the old global XSS attack on PDFs. Thanks for that article. It answered a lot of my questions specifically about browser cookie limits, what parts of the spec browsers don't enforce, and which cookie a browser will use in a conflict.
Forum: CSRF and Session Info
5 years ago
clayfox
Good point. Perhaps its use would have to be more targeted, like CSRF on admin accounts, or spear-phishing attempts. Setting the path specific to one function is a great idea! For an attack where you get someone to submit an answer under your account, you could set the cookie path as "/path/to/submission/page.php" for example. That would cause your cookie to get submitted only with an
Forum: CSRF and Session Info
5 years ago
clayfox
@thornmaker - you win. I just checked, and hackingforicecream.com is an available domain name.
Forum: OMG Ponies
5 years ago
clayfox
This could be used for swatting too. If electricity usage goes above a certain threshold in certain areas, it is enough cause for a drug growing investigation.
Forum: OMG Ponies
5 years ago
clayfox
Perhaps we should just create fake identities for our Ponies and use them as the first time home buyers. The lucrative part of this scheme would be selling 1000 one square foot lots each for $80,000, giving $79,000 back to each buyer who then gets $8000 for a net gain to the buyer of $7000, and a net gain to the seller of $1,000,000. What other fraud schemes have you all encountered or thoug
Forum: OMG Ponies
5 years ago
clayfox
A few difficulties to get past: - You must be a first-time home buyer. - The credit is for $8000 or 10% of the home value, whichever is less. - The house must be your primary residence for at least 3 years. Here's the fraud scheme: Person A buys a house for $80,000 from Person B. Person B gives all but their fee (less than $8000) back to Person A. Person A claims the $8000 tax credit. Per
Forum: OMG Ponies
Pages: 12Next
Current Page: 1 of 2