welcome to sla.ckers
Forum: Intro

nice work hafif :)
Forum: Projects

The web server response code has nothing to do with the attack; a web server doesn't even need to be involved. The distinguishing factor (as I recall) is being able to determine when you have an error due to a faulty decryption and an error due to incorrect padding. If you can distinguish between those two cases (via any means), you're in luck.
Forum: OMG Ponies

your demo video was nice. interception would be cool too. keep us posted :)
Forum: OMG Ponies

So here the rules state "just by typing into the URL bar" but at http://tr3w.net/misc/challenges/ch2rules.txt you say "only by typing directly into the GET parameter"... So which is it?
Forum: Obfuscation

define "good"...
Forum: Vendor Talk

IMHO, a single canary is never sufficient. We already know there exists 100% disjoint sets of characters that can be used for XSS, depending on the context. So the canary, to be useful, would need to cover a wide array of potential characters. Any single character in the canary can result in the whole string being blocked. None of this however takes into account other restrictions such as maxi
Forum: XSS Info

If you give them clear directions and ask nicely.
Forum: XSS Info

yeah, good thing you didn't join 3 months ago... you would have had to rejoin :P anyhow, welcome to sla.ckers :)
Forum: Intro

http://sla.ckers.org/forum/list.php?24 of if you want to be more specific... http://sla.ckers.org/forum/read.php?24,35645#msg-35684
Forum: XSS Info

what might work depends on context
Forum: XSS Info

HacktheSlack Wrote: ------------------------------------------------------- > Is there any way to bypass encoding? Yes.
Forum: XSS Info

@theharmonguy huh? why wouldn't it qualify as XSS? @hc0de is correct - if the forward slash wasn't escaped, this could be turned into a valid injection, regardless of how quotes are handled : </script><script>alert(0)</script>
Forum: XSS Info

as to what the actual obfuscation is.... the code has a long string of hex values stored as variable x. it loops through this string, 2 characters at a time, puts a % at the beginning of each group of 2 so you get something like %22. This is now a valid URL encoded character which gets automagically decoded when the code does the document.write(). So %22 would become " when it's writt
Forum: Obfuscation

Each of the forums has it's own RSS feed (according to the Firefox RSS icon up there in the corner of my browser). I've never tried it out though.
Forum: Intro

there is an irc channel: #slackers at irc.freenode.net (iirc)
Forum: Intro

theharmonyguy... hmmmm.... where have i heard that name before........ ?!? :) no seriously, nice to see you here!
Forum: Intro

maybe you just haven't met the right robot for you
Forum: Intro

Hey Jonas! It was great to meet you finally and thanks for showing us around Stockholm a bit. I had a great time at the conference too. John Wilander and the other organizers did a fantastic job. We'll definitely have to meet up again soon! :)
Forum: OMG Ponies

Actually, I don't think either of these are true palindromes since they get the brackets/parenthesis backwards. Here's a "true" one, though not as clever/pretty: '//)0(trela;';alert(0)//'
Forum: Obfuscation

-1||(alert)(trela)||1-
Forum: Obfuscation

/facepalm
Forum: XSS Info

<script>eval(location.hash.slice(1))</script> and append #alert('real payload goes after the hash symbol') to the URL. why use third-party site when you can have all-in-one :) you can use just http://0x.lv for a third party script which will alert your cookies or, if you have a hash, it will execute whatever follows the hash in your URL
Forum: XSS Info

I ran across http://0x.lv/mole.cfm somewhere on the nets; sadly, I don't remember where now. You may also want to check out http://laudanum.inguardians.com/
Forum: SQL and Code Injection

http://www.skyphire.nl/x <--- :)
Forum: News and Links

@LeverOne nice one! except... s/;//g
Forum: Projects

I'm looking for a good JS Tidy utility. Does anyone know of one? Or perhaps an IDE that will tidy JS nicely?
Forum: OMG Ponies

archives are wonderful thing: http://sla.ckers.org/forum/read.php?2,28
Forum: SQL and Code Injection

huh?
Forum: XSS Info

There are obviously plenty of other ways, but this method described by Krebs seems rather popular at the moment (or at least it is getting a lot of media attention). The setup for it all seems rather complex which makes me think it would be hard to do as a lone person. However, the criminals seem to go through great measures to cut off paper trails by "hiring"/conning money mules and s
Forum: OMG Ponies