Owner: Insane Security URL:http://insanesecurity.wordpress.com Join Date: Fri, 28 Sep 2007 09:07:52 -0500 Rating:0 Site Description: Website/webserver (in)security blog Site statistics:Click here
Making it harder (Session Hijacking) 2007-09-27 19:24:41 This is basically an idea that came to me a while ago while got over a XSS vulnerable website, on which I could get hold of the cookie which stored the session identifier…
But firstly, how can a session hijacking take place? Examples based on XSS:
1.The SID is appended in the url, then a simple document.location would help….
2.The SID is stored in the cookie, then what?… document.cookie :-?
But this is not a tutorial about session hijacking, for more info wikipedia or google.
How was I thinking to strengthen the website against SH?
The magic answer: to store an IP per session, so that only the IP that registered the session can take full advantage of it….
Implementation? To easy to print out the code (maybe in a later article).
What would not help? A visitor who has dynamic IP, or an attacker on the same sub network as the victim….
Of course this is just a strengthening technique, you always should secure your website in many ways as possible. I don&r
XSS MuWeb 2007-09-26 12:09:37 Very often when got nothing to do, I put my thoughts on how to better secure a website/server (it depends). And by accident last week I came upon a XSS vulnerability across a MU server on which I am a co-administrator…
What version of Mutoolz? Don’t know but if you’re eager to find out browse the web, or simply ask google… Ok it’s not Mutoolz based, it’s called MuWeb; some custom developed Mu Web Interface by a guy who doesn’t give a damn about security…..
Anyway this MuWeb, which has the most sickly written code [it takes you a good period of time to modify it] could be exploited in the following way:
—
http://muwebsite.com/index.php?op=<script>alert(/xss/)</script>
—
Yes, it doesn’t use good filters, just some type of filter based on regular expressions… as I used to say: if you ain’t good at regex, DON’T use them… anyway it filters out double-simple quotes; and what? It’s
rudimentary anti-x(ross)s(ite)s(cripting) 2007-08-22 09:50:36 Why the following piece of code I will present is because not many people sanitize properly user input, as a consequence there may happen sql injection or xss, which may or may not be dangerous.
I’ve seen many examples where people sanitized the input against sql injection, but because they forgot or they didn’t think that it was serious enough, they didn’t filter it against xss. There are many ways to protect against xss, but not every one of those is fully protective.
There is no special function against xss, as there is for sql injection (in the case of using mysql). I’ve seen protections using html stripping functions from PHP; and this type of protections can help about on 60 percent of cases. Which is not good enough, but will sure keep away those script kiddies ;)
—
function antixss($input) {
return htmlentities($input, ENT_QUOTES, “utf-8″);
}
—
Looks pretty simple, and also pretty easy to implement, as a protect
quote: Javascript is evil 2007-08-07 21:00:02 And who I quote? Our little Javascript “Devil” friend SirDarckCat who is pulling it off again by writing, what seems to be a 3 parted series about javascript!
For who can Javascript be evil? For you, your server and local files…
Read the first article from the series at: http://sirdarckcat.blogspot.com/2007/08/javascript-is-just-evil-for-you-part-i.html
What should we do against it? Answer -> http://noscript.net/
Proxy’s for fun and anonymity - vol. 2 2007-08-07 11:50:51 In this second “volume” we will discus raw HTTP/SSL tunneling… hope you’ll like this part more than the first one.
raw HTTP proxy
What we need is a telnet able program, I personally use PuTTY, and gonna use it for this example. Recommend you use another telnet program than the windows incorporated one. How do we proxy? In the same way that we initialize a HTTP request to a server, but this time we have to specify the host and the complete url:
—
putty -raw [proxy] [port]
GET http://www.google.com HTTP/1.1
HOST: www.google.com
[Enter]
—
raw SSL tunnel
Because SSL can be used for tunneling. If the proxy has SSL and supports connection to other ports than arbitrary protocols can be run through it; this way SSH is tunneled trough HTTP proxy. An example:
—
putty -raw [proxy] [port]
CONNECT www.google.com:443 HTTP/1.0
Host: www.google.com
[Enter]
—
Proxy
Chaining
There are many types of proxy chaining, but going to discuss the HTTP/SSL type, b
Proxy’s for fun and anonymity - vol. 1 2007-08-06 13:27:19 Oh no proxy related material!
Yeah I know that the world is full of proxies, but this ain’t gonna be another tutorial on how to change/set a proxy in Firefox/IExplorer/Opera/etc/passwd… this article is going to lead you straight to the basics of proxies, and how to work with them on raw TCP/IP connections.
But the last part I mentioned is only going to be a part of vol. 2, because I don’t have the time to write all of it at once.
What is a proxy?
A proxy is basically a gateway, a machine or a software that acts like a tunnel… no more, no less (better a short description than a long one). Basic functionality of a proxy:
—
client -> proxy -> web server -> proxy -> client
—
How many types can a proxy be?
As I know there are 3 types of proxies:
Transparent - If the website requests the proxy for your IP, then it will get it.
Anonymous - The website can’t get hold of your IP.
Highly Anonymous - Or so called l33t proxies, nobody instal Read more:Proxy
The history of hacking 2007-08-05 15:29:03 Maybe many of you don’t know the real history of hacking, but is a series that I recommend to everybody who is interested in security… They are a must to be seen, just to know why we all do what we do… The first video of the six parted series is displayed bellow, and the links to the following ones also. Check it out ;)
1-2-3-4-5-6
P.S.: Hope I got the right series… If not, you’ll have to search for a while :þ
Website Anatomy 2007-08-03 00:32:19 I’ve started working on a project on myself, of course, by which I am trying to create a unique tool. One of a kind! The one and only! NOT!
What am I going to do? Basically a reconnaissance tool which will drop you the website folder structure, pages, the forms and this kind of things.
For what will be it good? For those cases when you want to look over a website to find possible vulnerable forms… In a normal case this could take a couple of minutes until you look through the pages, check the code and all. But with this tool, seconds, and minutes to spare… for those moments when you get lazy this tool will be developed ;)
secure PHP login script 2007-08-01 21:11:22 This is the finalization of the insane idea I had when publishing the login (security through obscurity) - weird PHP script
, idea that could not have been finalized without the post that Stephen did as a response to it… he had some great ideas there…
Let’s see how the finalized version of this so much criticized script will end… And of course it will have some obscurity in it. Why? Many hate it that’s why :þ
Firstly we have our MySQL table that goes by the following definition:
—
create table 1nside0ut(
id0 int not null auto_increment,
l0gn4m3 varchar(255),
entryw41 char(32),
r34ln4m3 varchar(255),
primary key(l0gn4m3)
);
—
Why two username fields, and why named that way?
Because the user should have a login username, used just for that and a shown name, which should be different -> harder to bruteforce it (if you don’t know the login username). The strange column names a
httpOnly vs. XmlHttpRequest 2007-08-01 00:02:51 I remember well a couple of days ago when I have read on ha.ckers.org this subject and in the first moments I though it will be secure, but after the first three lines realized that the only difference it made was the length of the XSS code
For those who have a trouble in finding the equivalent of document.cookie in ajax here is the PoC (answer):
–
var doc;
try { doc = new XMLHttpRequest(); } catch(e) {}
if (!req) try { doc = new ActiveXObject(”Msxml2.XMLHTTP”); } catch(e) {}
if (!req) try { doc = new ActiveXObject(”Microsoft.XMLHTTP”); } catch(e) {}
doc.open(”HEAD”, document.location, true);
doc.send(null);
doc.onreadystatechange=function() {
if(doc.readyState==4) {
if(doc.status==200) {
var hidden=”";
var headers=doc.getAllResponseHeaders().split(” “);
for(i=0;i<headers.length;i++) {
var off1 = headers[i].indexOf(” “)+1;
var o
I love CSRF (XSRF) 2007-10-07 11:33:38 I really do love CSRF?…. and it all started back when I was reading a topic on w4ck1ng forum, don’t remember the link but gonna tell you in small words. There was this guy who wanted to know if there could be a way to win a poll without constantly changing proxy. First thing that came to my mind was csrf. Why do the dirty job and manually vote 24/7 so that you can win; when you can create a html page with contains the form with auto-submit and incorporate it in a iframe on a website?
How does the html of such a poll look?
—
<html>
<body onload=”document.poll.submit()”>
<form name=”poll” action=http://insanesecurity.wordpress.com/feed/”website.dom/pollvote.php” method=”post”>
<input type=”hidden” value=”3″> //the poll option
</form>
</body>
</html>
—
This is just an example, for more csrf fun check the CSRF Database
Windows Network Hacking via Winfingerprint 2007-10-26 10:58:13 What?
NetBios hacking…
People screaming: lame dude lame, this stuff is older than my grandma!!!
Stop laughing, screaming, swearing and all that shit… Everybody, I suppose, know what is about all the netbios hacking stuff, right?
If not check out a massive tutorial on this subject at Darknet; btw: grab some cigarettes and some beer because netbios most of the time will be frustrating because it won’t work due to different types of windows configuration… but that is another story!
This article ain’t about how to use shares, ipc$ or any other shit contained in netbios hacking, it’s about a tool that can perform all that netbios stuff for you and create a decent output file… by the time you are reading this line I suppose you know that the tool is called WinFingerprint.
Things that WinFingerprint can do:
enumerates NetBIOS Shares, Users, Groups, and Services
Scan entire ‘Network Neighborhood’
Establishes Null Session
Registry Query Read more:Windows
, Hacking
Source code audit - PHP 2007-10-30 11:41:20 What source code audit is?
It’s a primary technique by which someone can find vulnerabilities of the website, just by inspecting the code.
Consider the following scenarios:
find a ftp service exploit and you can download the entire website in it’s unparsed form
have the source of the web application used by the website
What has to be done?
Instead of emulating the real website (setting up a webserver, database, etc) you can just start and analyze the code for common known vulnerable code.
User input
Most of the time user input is passed to the web application via requests, like:
—
$_GET
$_POST
$_REQUEST
$HTTP_POST_VARS
$HTTP_GET_VARS
—
And if register globals in php.ini are activated, user input can be retrieved via <input> names, for example the following html form:
—
<form name=”basic” method=”post” action=”">
<input type=”text” name=”myname”>
<input type=”text” name Read more:Source
Cmd Code Audit (Skavenger) 2007-11-09 19:21:31 This is going to be a quick how-to audit source code under a windows environment without having installed egrep/sed.
Let’s start with the most basic code auditing line:
—
type file.ext | find /i “string”
—
While this won’t do much, the following batch script that I use from time to time, could be helpful, at least for php code auditing (you may modify it to fit your needs a.k.a. C/C++/C#/ASP/JSP/etc):
—
@echo off
echo Audit
ing %1
type %1 | find /i “$_GET” | more
type %1 | find /i “$_POST” | more
type %1 | find /i “$_REQUEST” | more
type %1 | find /i “include(” | more
@echo on
—
For more lines to add to it check this. Having to disappoint you, because I am going to present you a script far better than the above batch file.
Here it comes -> Skavenger
Skavenger is a source code auditing tool, written in PHP and designed for regular expression usage; so it can be more versatile than the above
new fashion, new ways (or not) 2008-02-07 07:15:04 Some time ago when I posted I Love CSRF (XSRF) fazed invited me to do a presentation on CSRF attack and protection… but since then haven’t heard from it… Anyway I wrote down my presentation and since haven’t been asked to do it recently I thought I’ll write it on my blog…
What will I trim [...]
less spam on blogs 2008-04-22 07:41:45 And no it’s not a better solution than Akismet, but will do against spam bots…
This is for the ones that host blogs/create a blog and don’t have a spam protection module at it. Maybe you’ve seen this type of protection before (and sure you have; ex: www.darknet.org.uk). Have you guessed it by now? Yes, it’s [...]
mailbombing - a myth or a legend 2008-04-22 05:33:40 Yes… those where the times…
I don’t know how many of you where in the mailbombing scene (shouldn’t even name it scene)… but there where groups of people who formed small comunities (let’s call them this way) of mailbombers.
And it was easy to mailbomb… what times… nowadays true mailbombing doesn’t exist…
What do I call a true [...]
Got new bait? 2008-05-03 11:54:06 Maybe this is something already used (no wondering about it), but it’s worth mentioning…
Real life fishing never has been my favorite activity, not even in my top100 activities, and as imagined phishing neither… I simply hate planting baits and waiting for someone to fall in my net; and I do see phishing as real life [...]
woot free shells 2008-05-16 17:53:07 In the last period I was surfing around for free *nix shells, sadly very few have been found! And no, I wasn’t looking for shells that would allow bouncers, eggdrops, or any stuff like that… just for the classic type of shells: some megas (even 10Mb would suffice), decent scripting languages enabled (php/perl/ruby) and some [...]
Ancient history 2008-05-24 09:13:49 Not really ancient history, but personally I would like to call it that way… Recently by diging up some old emails found a little attachment called Metalfish, which if you’re curious holds mIRC script files; so basically it’s a mIRC script which I made long-long-long time ago, I think about 6 years ago… Frankly I [...] Read more:Ancient
No Root For You: A Series Of Tutorials, Rants And Raves, And Other Random Nuances 2008-05-27 05:38:17 This is the name of the book that Gordon L. Johnson (leetupload webmaster) will release in the mid of June (this year). Althou I can’t write a review on it (dah!) I supose that there will be some interesting chapters (at least caught my attention)… going to mention them, but firstly let’s see what has [...] Read more:Tutorials
, Random
Regenerative Tokens 2008-05-29 14:10:10 As maybe you already read the article new fashion, new ways (or not) article which presented a couple of methods on how to protect against CSRF, and which was though to be a good protection, especially the tokenized method (which is the preferred, and advised) though bulletproof… just thought, because recently while surfing blogs with [...]
This is just plain dumb!? 2008-06-15 12:31:11 Many times poeple criticise me for being a security through obscurity fanclub member, thus saying that it can do no good, grow out of it and stuff like that… But I never said I used security through obscurity as a basic security implementation (wtf?! do you think I work for MS?)… Anyway for those who [...]
planting crops 2008-06-15 02:30:28 Recently affiliated with Darknet I have found GoNullYourself which came in with a non skiddies aproach (you got to give’em some credit for that)… anyway they have decided to make posible public registration to their forum, and If you may want to take a look an register throw in my handle as a refferal… ^_^
Why [...] Read more:planting
BackTrack 3 Final released! 2008-06-21 11:59:35 Got the info today from the penetration testing mailinglist back at security focus…
BackTrack
is the result of merging the two innovative penetration testing live linux distributions Auditor and Whax. Backtrack provides a thorough pentesting environment which is bootable via CD, USB or the network (PXE). The tools are arranged in an intuitive manner, and cover [...] Read more:Final
manual renaming… 2008-06-20 14:33:28 I recently installed Apache on my home computer, and as not being a regular Apache user (for own webapp development I use Abyss X1, kinda my first ever installed webserver) I wanted to take a look in the manual
pages… opened up index.html, and for my surprize there was a blank page (well, actually not [...]
Different aproach on including files in PHP 2008-07-09 18:03:05 A couple of days/weeks ago (don’t quite remember well) I came across Savride’s blog, where also I stumbled upon the following article Secure PHP variables $_GET, $_POST - wrapper function which was kinda hard to digest at first… to much obfuscated code in one place… it’s ok if it works for him, but for file [...] Read more:files
Recommend Site To A Friend
