ha.ckers.org web application security lab
 
Showing 1-10 of 105 records
 
Expand article

Wait, Google - I Thought You Were Evil!

2010-01-12 18:40:44 by RSnake in ha.ckers.org web application security lab
 
...information to something thats not secure if you care about that kind of thing. But alas, Id never expect that either. Convenience will win that war over security either way. But its exciting news, and Im interested to hear what the fallout of this one is
 
Tags: google, google sociopaths, googles blog post, googles, fake steve jobs, upload sensitive information, wrong, wrong route, chinese hacks
 
 
 
 
Expand article

Anonymous Proxy Woes

2010-01-04 14:42:13 by RSnake in ha.ckers.org web application security lab
 
...information is sent over the wire. What a great place to man in the middle someone - right? Even if they werent run by bad guys, they could easily be hacked into in many cases, in which case, every user who utilizes it is potentially in danger 10 - Sites like this tend to muck with the HTML of the page they output, making them trivial to...
 
Tags: site, site access, proxy, site resides, css history hack, site sends, sites, cgi proxy, javascript
 
 
 
 
Expand article

Popup & Focus URL Hijacking

The Article has images
2009-12-28 13:39:06 by RSnake in ha.ckers.org web application security lab
I apologize ahead of time for whomever first sent me this - its been so long now that I have long since lost the original email. But at some point a few years ago someone sent me a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didnt matter because after you...
 
Tags: nasty user experience, nasty, user experience, user, user compromise, page, internet explorer, org, download
 
 
 
 
Expand article

Mr-T smbenum and Firefox userprefs

2009-12-21 11:37:16 by RSnake in ha.ckers.org web application security lab
 
I took a few minutes today to update the Master Recon Tool to include both the default Firefox preferences and the smbenum (enumeration of programs in Internet Explorer). This isnt a big deal or anything, but its more that I think people arent really clued into all the stuff that can leak from a browser. Not that this is everything, mind you...
 
Tags: include, master recon tool, default firefox preferences, stuff, internet explorer, zip file, mr-t, smbenum, lot
 
 
 
 
Expand article

DNS Rebinding Video

The Article has embedded video
2009-12-01 11:48:37 by RSnake in ha.ckers.org web application security lab
 
I decided to throw together a video for those of you who are still having trouble wrapping your heads around DNS Rebinding. Its my first attempt at making a video so there are zero frills, but if and when I make future videos, I may improve that. Most importantly, hopefully this will help explain the details for those of you who arent super...
 
Tags: dns, video, robert rsnake, future videos, raf, trouble, improve, super, shirt
 
 
 
 
Expand article

The Bikini Is No Longer Safe

2009-11-23 19:01:17 by RSnake in ha.ckers.org web application security lab
 
Jeremiah Grossman sent this over this afternoon. No, do not click that scandalous picture of that bikini clad girl its just another example of Clickjacking in the wild. Facebook has been hit by a clickjacking worm found by Gadi Evron. Its called, funny enough the bikini worm . Just another great example of how defense just keeps getting harder...
 
Tags: gadi evron, gadi, bikini worm, worm, vulnerable, bikini clad girl, gadi hahah, scandalous picture, jeremiah grossman
 
 
 
 
Expand article

Com.Com is Up For Sale

2009-11-20 12:47:56 by RSnake in ha.ckers.org web application security lab
 
...information about the local college, including building plans, love letters, medical information, bills, and on and on And that was just one .edu domain. Now imagine the typo traffic for all of .com Im not just talking about email, but think about all the DNS errors, and the referring URLs and the places that you could XSS just because of...
 
Tags: typo, typo traffic, tld, chinese idn tld, g6w251d, average bad guy, average bad guys, csuchico, love letters
 
 
 
 
Expand article

DNS Rebinding for Scraping and Spamming

2009-11-18 10:45:48 by RSnake in ha.ckers.org web application security lab
 
...information from Google without Google being able to block the real attacker. Since sites like Google do not respect the host header and they dont use SSL/TLS an attacker can scrape information from these sites all they want - all the while using other peoples browsers. Now think comment spamming, polling fraud, brute force, and on and on All...
 
Tags: dns, simple dns, dns server, real attacker, attacker, google, peoples, peoples computers, ssltls woes
 
 
 
 
Expand article

DNS Rebinding for Credential Brute Force

2009-11-17 16:43:04 by RSnake in ha.ckers.org web application security lab
 
In part two of my DNS rebinding diatribe I wanted to talk a little more about the previous problem of session fixation . Session fixation is great but its only great if by getting them into your account that provides you some value as an attacker. Sometimes thats useful, sometimes its not. But what about a different scenario where the attacker...
 
Tags: brute force, dns, credential, session fixation, session, account, account ahead, weak cookie, page
 
 
 
 
Expand article

Session Fixation Via DNS Rebinding

2009-11-16 17:44:55 by RSnake in ha.ckers.org web application security lab
 
While I was out at OWASP, I ran into Dan Kaminsky and we started chatting about DNS rebinding - as we are known to do. Almost immediately he surprised me by saying that DNS pinning is a bad idea. After much explaining, I get why he thinks so, and I found myself nodding. Its not because its not a good idea, its because it doesnt work, and all the...
 
Tags: dns, dns response, browser rebinds dns, browser, attacker set, attacker, host header, users badguy, badguy
 
 
 
 
 
Showing 1-10 of 105 records