Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 

Pages: 12345...LastNext
Current Page: 1 of 12
Results 1 - 30 of 359
4 years ago
rvdh
Very nice find LeverOne! Another reason to zap JS LiveConnect from browsers all together.
Forum: XSS Info
4 years ago
rvdh
The difference between noobs and n00bs: hxxp://127.0.0.1 & hxxp://loopback
Forum: Vendor Talk
4 years ago
rvdh
Gareth Heyes :| How did you find my homepage at 127.0.0.1!
Forum: Vendor Talk
4 years ago
rvdh
Curious, I pulled it from memory I'm sure I read it somewhere on a bugtraq not too long ago where someone had a similar issue that gave the same error BUT with these settings: allow_url_fopen=On allow_url_include=Off But (always one isn't there) it might be different on IIS than it is on *NIX. If memory serves me well, he used IIS. Might be interesting to see what the difference exactly wa
Forum: SQL and Code Injection
4 years ago
rvdh
But knowing this, it's easy to understand why so many victims fall for phishing. He could easily deface his own site with a facebook login form (even if it doesn't look like facebook, because google brought them there so it's trusted) and grab their credentials.
Forum: News and Links
4 years ago
rvdh
I do the same it's easier to hit the search then to type the uri *shrugs*
Forum: News and Links
4 years ago
rvdh
Reiners Wrote: ------------------------------------------------------- wrong. if they were enabled, you would not get a "timed out" error but a error like the following: http:// wrapper is disabled in the server configuration by allow_url_include=0 Partly true, but it solely relies on the PHP.ini settings; allow_url_fopen might be set to ON, but allow_url_include might be set to O
Forum: SQL and Code Injection
4 years ago
rvdh
Yeah, most folks have enough trouble administrating 1 box (their own) let alone thousands of boxes. There is no way you can secure them all effectively. Imagine the horror of a patch schedule for all those boxes. It would imply they need at least 1 guy administrating 10 to 20 boxes or they loose track. That's a lot of guys, all working in different departments, different skills, no web application
Forum: News and Links
4 years ago
rvdh
There is a relay which allows sending mail in Google's name. Wrote about it some time ago. It's a "tell-a-friend" form on Google.
Forum: Search Engine Hacking and SEO
4 years ago
rvdh
Only in Indiana, Hoosier state.
Forum: Networking
4 years ago
rvdh
Yah sorry my box is offline. I've uploaded it to my company server: PHP version: http://www.scarletred.nl/stuff/symbols.txt JS version: http://www.scarletred.nl/stuff/symbols.js JS version is used in my new FireFox extension that performs source scanning.
Forum: Projects
4 years ago
rvdh
LMAO I can see where this thread is heading.
Forum: Projects
4 years ago
rvdh
Just load an iframe with your hosted flash app for extra lulz: http://video.vtunnel.com/videoplayer/vdgCK1VeD8f/yupp/flvplayer.swf?file=http://thepureporn.com/vids/shower.flv
Forum: Projects
4 years ago
rvdh
It's been done. And filtering on country it doesn't work. It only impairs usability, adding no value whatsoever against phishing. More common is IP restriction which does work. You may allow users to added multiple IP's in their account for example, and restrict on those. I've made a couple of apps that restricts on the IP they signed up with, with a request form if they change provider.
Forum: Projects
4 years ago
rvdh
RonPaul Wrote: ------------------------------------------------------- > no luck, if anyone wants to help me on their own > plz message me > if it means anything its on an army website Obviously allow_url_fopen & allow_url_include are disallowed if you bothered to interpret the errors it gave you back. LFI seems the only way here. And you might also want to figure out if they u
Forum: SQL and Code Injection
4 years ago
rvdh
Why did you choose web goat to be your goat?
Forum: SQL and Code Injection
4 years ago
rvdh
Yes this has been the case for ages on their networks, apparently they simply gave up administrating tons of boxes all over the place, somehow I can relate.
Forum: News and Links
4 years ago
rvdh
Let me clarify the isapi rwrite method. if a call is made to a xslt file without the proper referer (i.e. the script that calles it, like an XML file) you could deny the request. Same with the XML that is called inside a another page. This way you can't call the XML/xslt directly, only through an authenticated script that executes/requests it. That's how I would solve it. Yes you could spoof th
Forum: Full Disclosure
4 years ago
rvdh
I'm no IIS administrator, but I guess it depends if it is ran from an intranet, you could apply or deny rights to it. Another option is IP (range) restriction, and/or check for the proper referer though a Isapi rewrite module like isapirewrite (paid module). Or indeed as kuza55 said, is to write a small proxy-script (not necessarily a real proxy) that does this for you.
Forum: Full Disclosure
4 years ago
rvdh
Excellent work man. I hope more people now realize the dangers of rand() and mt_rand() in PHP scripting, especially when they are broadcasted into an URI. Good to see practical examples coming forth.
Forum: Full Disclosure
4 years ago
rvdh
It can't. If it's supposed to run as an external javascript too, editing the gif with a hex-editor means that you must comment out the GIF89a header because they contain illegal characters for javascript that is included through script. if you are to write all the gif data byte for byte by javascript then it doesn't work as an image. Edit: Never mind I just read the post @ http://www.thinkfu
Forum: OMG Ponies
4 years ago
rvdh
xlsheet.setProperty("AllowXsltScript", true);
Forum: Full Disclosure
4 years ago
rvdh
@lukethedrifter That's pretty funny actually, never thought about that. LOL
Forum: News and Links
4 years ago
rvdh
CSRF is like setting booby-traps, i.e. usually implies pranking rather than serious malicious damage. But you talk about legal issues, then you first must determine the difference between legal and lawful. I think you meant lawful, because breaking legality isn't necessarily an unlawful act. Legal means a rule by society, conduct. Calling people names can be illegal according to consensus, but doe
Forum: XSS Info
4 years ago
rvdh
Now I rewrite errors myself to a utf-8 text file, and it still happens. Ghost in the machine.
Forum: Obfuscation
4 years ago
rvdh
yes and no teh inpuds forms haz no secure wen c0de is nothing from securities eh?. But not sure about tho, but I know is it based on CEESURFING somhow.
Forum: CSRF and Session Info
4 years ago
rvdh
CSRF does not exist, it was all a joke to weed out signals from the n00b noize.
Forum: CSRF and Session Info
4 years ago
rvdh
@id That should have been written in the ToS years ago! ;-)
Forum: XSS Info
4 years ago
rvdh
Yep, my luck it wasn't the actual passwd eh? ;-) But it still is not resolved. Did you found out why it left out the "d"? I'm still pondering on the fact that it only seems behave like this on files that are actually there. Strange case.
Forum: Obfuscation
4 years ago
rvdh
Hi. It's all about learning, and one can never learn enough. remember to have fun, that's the most important aspect of it all. Even if you get hacked, which is clearly always inevitable on some point if someone sets his mind to it. So it's best to understand quickly that security simply provides temporarily false hope. The 5 stages of a security breach; * 1. Denial and Isolation. *
Forum: Intro
Pages: 12345...LastNext
Current Page: 1 of 12