Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 90
6 years ago
fragge
thornmaker Wrote: ------------------------------------------------------- > bypass: (x)setter=0?0.:alert,x=0 NICE. crazy O_O
Forum: Projects
6 years ago
fragge
So if I pad my document with hundreds of <b><i> and </i></b>, and raise the severity warning, will my document be cancelled? I don't understand the point of this.. it doesn't allow for actual usability.. It just stops any injection.. Which there wouldn't be if we removed the form in the first place - something this thing practically does by blacklisting anything with <&g
Forum: Projects
6 years ago
fragge
As interesting as this topic is, your PHPIDS is 1000% oversensitive. It detects usage of closing bold and italic tags? It raises flags over the use of a perfectly fine hyperlink or image tag, and calls it javascript injections? I thought that this was supposed to allow non-malicious code to operate, whilst filtering malicious code. Blacklisting character sets does not work. Some pretty tricky xxs
Forum: Projects
6 years ago
fragge
Sorry for the delay, I've been exceptionally busy at work. I will post here again (probably near the end of next week, completely dependant on time) when I have a working zip to throw accross to you guys, I sort of left the skinning process half done, and left the downloader un-usable. Update shortly ;)
Forum: Projects
6 years ago
fragge
Wasn't sure where to put this.. http://www.javeline.com/ Anyway, Javeline Platform is an AJAX framework which integrates XML and JavaScript and melts them into their own JSL syntax. I've been playing around with it for a few days learning the syntax and properties of different containers/components. There isn't much support at all, and it takes a steely resolve to sit through hours of wonder
Forum: Vendor Talk
6 years ago
fragge
Kyran Wrote: ------------------------------------------------------- > I don't know that much PHP, but I'd like to help > out where I can for this. It might be good to help > learn anyways. :P Cheers, I'll get in touch with you shortly about the project, and provide you with a zip of the current build, ideas/features I'm working on, any ideas you may have, improvements, etc etc t
Forum: Projects
6 years ago
fragge
sjraptor.. its others' mate.. LOL.
Forum: OMG Ponies
6 years ago
fragge
kishor, just wondering - are you interested in developing this with me? I'm currently working on version 4 (0.0.4) of this, new UI is pretty much done, pretty basic, have heeeaps of ideas that I'm working, just wondered if you wanted to be a part of development & ideas.. I have your name up on the poxy little copyright, but I can take it off if you want, just thought I'd credit you. Anyone who
Forum: Projects
6 years ago
fragge
Bad luck CrYpTiC, although I already noted that your disclosure method (releasing internal information) was not in your company's best interests: Quote CrYpTiC_MauleR said: "but it goes to show that you can't trust a company to protect your information" And I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees t
Forum: News and Links
6 years ago
fragge
1) I posted that because I found it humorous, and thought RSnake would also. I have NOTHING against RSnake. 2) The password problem was trivial in context to the attack surface presented; putting a complex password on the machine means zip, because they give the information to employees, who proportedly post it up on post-its around the office - this negates the purpose of a password, hence it
Forum: News and Links
6 years ago
fragge
I ignored the first character attack, but that was too funny. I don't understand what you have against me thrill, nor care - that was a joke of a response, and I will treat it as such. QuoteI told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn't do anything. Was the breach performed on that terminal
Forum: News and Links
6 years ago
fragge
thrill Wrote: ------------------------------------------------------- > what do you care what the password is? you need > physical access to the terminal to crack it > regardless. > > I guess you've never heard of disgruntled > employees.. people who would love the ability to > install some sort of software that would allow > them to record every transaction which
Forum: News and Links
6 years ago
fragge
I'm 99% sure I already replied to this.. anyway, this project is being continued by me (and anyone who wants to help dev?) here: http://houseofhackers.org/group/australianit/forum/topic/show?id=2092781%3ATopic%3A10665 Next version should be done today if I'm not too busy.
Forum: Projects
6 years ago
fragge
what do you care what the password is? you need physical access to the terminal to crack it regardless. TJX aren't really concerned that they're going to get hacked through that access point mate, they're concerned that their databases will get swiped and sold again. Just my 0.02
Forum: News and Links
6 years ago
fragge
RSnake got another zine mention ;) http://cypher0.h18.ru/zf04.txt -- RSnake won a pwnie! You came close kuza, but no cigar. Money quote: "Firstly, in an ever popular category these days, We have our nominations for the "Most narrowly directed researcher" award. The nominations were: 1. kuza55 -- Some guy who presented at MS's bluehat conference about the dangers of XSS
Forum: OMG Ponies
6 years ago
fragge
i wouldn't use flash on anything. ever.
Forum: OMG Ponies
6 years ago
fragge
CrYpTiC_MauleR said: "but it goes to show that you can't trust a company to protect your information" And I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees to protect their information? >_>
Forum: News and Links
6 years ago
fragge
18. Re: lol
digi7al64 Wrote: ------------------------------------------------------- > @yoness - please try and keep it on tomato :P ^ fixed
Forum: OMG Ponies
6 years ago
fragge
@DoctorDan I know, I read your paper ages ago when you first published it ;) it was just easier for me to tell a nooby it grows Exponentially than to explain the vanishing point when the propogation slows and evens out as it approaches the top of the curve. ^^
Forum: XSS Info
6 years ago
fragge
An XSS worm takes advantage of Persistent XSS. This means that it can be inserted into a page that will retain it, like a blog or a comment space. If the page executes code, and retains it on the page (ie: comment, blog, etc), then it is vulnerable. The worm is injected, then when someone views the page (something that generally requires them to be logged into the same site), it redirects their br
Forum: XSS Info
6 years ago
fragge
Yes, if you are able to add code in your comments box which executes, then you have a serious problem - that means that if I were to go to your blog, I could change your page in ANY way I want. I could completely remove all your content, and write my own blog over the page, or better yet, redirect the user to a malicious site and install malware to control their pc. Because the comments box will s
Forum: XSS Info
6 years ago
fragge
I'm not going to be as harsh as these guys, but I do agree - as a security company selling a *security* product which prevents phishing attacks, surely your own web portals would be secured from at least SQL, yet as far as I see, there are multiple XSS holes and an SQL injection in your sites. It really doesn't help to sell your product is all I'm saying - your best option would be to patch your s
Forum: News and Links
6 years ago
fragge
yes but the idea of DoSing a publishers ID via false clicks is an *old* idea, and has been employed for years. It's always been exploitable, and this isn't a bug. performing those false clicks on the publishers and creating a 2000% CTR will simply mean that the clicks will be disregarded if it is a big publisher - google treat bigger clients differently, and will protect their assets. Your clicks
Forum: Search Engine Hacking and SEO
6 years ago
fragge
mate I still don't understand how you consider this a vulnerability? what are google going to do to patch it? there is NO way to distinguish between different IPs sending different headers. The only thing they can do is check for an abundance of clicks in a short period, a repeating pattern, or an over-the-top CTR, which they *already do* - you're just performing click-fraud, which has been around
Forum: Search Engine Hacking and SEO
6 years ago
fragge
i don't get that rohanpinto performed any PoC, and maintain that he's a moron.. he ran a bot program to generate false clicks through proxies. whoop-de-fucking do. google won't pay it, it means nothing, and will get you instantly banned, as you experienced. turn your bots down to 2 CTR at unsteady intervals, and then you might generate more than $0. or get banned again. don't care.
Forum: Search Engine Hacking and SEO
6 years ago
fragge
"42. To Prove the New Weapon Methodology, Technology and Technocracy in the Crime War, Drug War, 50 Years of War and Peace, The War in Iran and any other war going on the World of crime. Three of the most dangerous Weapons of the Crime War today are 1. Praying For Persons to die with electronics, 2. Killing the person’s heart with an electric snake hot-wire hookup and 3. Poisoning Persons w
Forum: Full Disclosure
6 years ago
fragge
there aren't any other ideas - it's a blackbox attack, you know nothing of their system. do some probing of table names, find one, grab all the info, and spider through their DB till you have what you want. it's really not a complicated thing, besides the fact that it's illegal and dictionary attacking it with some noob program written by your friend will leave a huge imprint on their logs. but w/
Forum: SQL and Code Injection
6 years ago
fragge
maybe don't post so much. just guess/dictionary attack the table names, it really isn't difficult. ONE of them will be correct eventually, unless neopets names their tables 19283asdamlx0!32ikjma_1, 192389183nmkmnkaxnkn!O83901!_2 >_>
Forum: SQL and Code Injection
6 years ago
fragge
Awesome AnDrEw Wrote: ------------------------------------------------------- > That sucks. I had my heart set on buying one > saying, "Women: Nature's Punching Bags". ^ epic LOL
Forum: OMG Ponies
6 years ago
fragge
http://www.cnn.com/tshirt/?headline=Australia%20says%20YES%20to%20violence%20against%20women&date=1208772622000&hash=4f2e03baf9a0cc4ed25c0dee1d0a56d3&return_uri=http://www.cnn.com/video/#/video/world/2008/04/20/vanmarsh.uk.food.whip.cnn LOL edit: oh wtf i can't actually order these? I had this one all lined up.. http://www.cnn.com/tshirt/?headline=That%20porno%20of%20Joel%20Ri
Forum: OMG Ponies
Pages: 123Next
Current Page: 1 of 3