SEARCH RESULTS
 
Showing 1-10 of 50 records
 
Expand article

1&1 Internet Customers Vulnerable to XSS

2007-12-30 21:15:23 by RSnake in ha.ckers.org web application security lab
 
...XSS . The technique is simple, but it comes from the way in which they present ads based on detection of a file not found. They pop up an iframe based on file name which you can jump out of pretty easily. Not so good. Im not sure what sort of customers 1&1 Internet provides service for but Id be unhappy if I were a customer there. Apparently...
 
Tags: customers, xss, internet, dom based xss, file, john smith, predictable location, pretty easily, ads based
 
 
 
 
Expand article

Diminutive XSS Worm Replication Contest

2008-01-04 16:28:08 by RSnake in ha.ckers.org web application security lab
 
...XSS worm (with a non-dangerous payload The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS worm propagation. Im not interested in payloads for this contest, but rather, the actual methods of propagation themselves. Weve seen the live worm code and all of...
 
Tags: xss worm, propagation, worm propagation issues, code, diminutive, live worm code, xss worm propagation, winners code, diminutive perl contests
 
 
 
 
Expand article

Diminutive XSS Worm Contest Drama and Status Update

2008-01-06 17:34:38 by RSnake in ha.ckers.org web application security lab
 
...XSS worm contest . One of my favorites was where I was being compared to arming people with nuclear weapons . Clearly, and admittedly most of these people have no background in the issue and have never read this site or the rest of sla.ckers, as there is lots of samples of existing worm code in lots of places on the Internet now. Just because...
 
Tags: browser companies, browser, browser security arena, code, people visit, people, worm code, diminutive xss worm, xss worm
 
 
 
 
Expand article

ScanAlert - XSS is Cool with Us

2008-01-21 20:58:57 by Bill in Grumpy Security Guy
 
...XSS because it is really a tricky issue to explain to people that dont understand. It basically boils down to bad people using my website to compromise clients. What they do with those compromised clients can range from fairly benign replicating worms , phishing scams , all the way to total remote control of the end users browser. The fine...
 
Tags: scanalert, xss, people, crazy people, mcafee acquires scanalert, security stories, bad people, xss vulnerabilities, underground security resources
 
 
 
 
Expand article

Obama XSS Silliness

2008-04-22 15:04:10 by Chris Eng in Zero in a bit
 
...XSS vulnerabilities throughout their website. Theres no need for me to rehash the story, you can read other articles that describe what happened . My thoughts on the matter are as follows I wish the media wouldnt refer to this as hacking Obamas website because its not quite accurate; XSS attacks end users, not the web site itself. Clearly one...
 
Tags: xss, obama, xss attacks, barack obama campaign, input validation, website, xss vulnerabilities, obamas website, web security
 
 
 
 
Expand article

Orkut XSS Worm

2007-12-20 16:18:37 by RSnake in ha.ckers.org web application security lab
 
...XSS worm . Orkut is Googles version of social networking. It was big for a while, but I think everyone bailed in favor of the more open MySpace and Facebooks of the world. Its still widely used by the Portuguese population though Rough estimates are north of 300,000 people compromised, even though it was caught relatively quickly. Its amazing...
 
Tags: orkut, worm, post, community, orkut community, post scrapbook, xss worm, post requests, worm code
 
 
 
 
Expand article

Another MySpace XSS Through an API

2008-01-21 16:24:14 by RSnake in ha.ckers.org web application security lab
 
...XSS in MySpace using the mobile API . MySpace being plagued with XSS vulns is really nothing new, but this is actually pretty interesting to me because its the first time I can publically point to a place where the API is the conduit for the attack. Where youd normally be unable to enter JavaScript, on the mobile API the filters dont exist....
 
Tags: api, mobile api, myspace, xss, website, main website, mobile platform, rosario, rosario valotta
 
 
 
 
Expand article

XSS on Whois

2007-12-30 20:55:53 by RSnake in ha.ckers.org web application security lab
 
...XSS in whois information to take over domains when people are researching your domain . Very cool stuff. I have a feeling there are also servers that may be vulnerable to SQL injection as well, but thats probably much more difficult and dangerous to test. Dotster was apparently vulnerable to this, but we didnt have a working PoC However,...
 
Tags: apparently vulnerable, vulnerable, credit card information, domain, cool stuff, domain registrars, stuff, usefulness, sql injection
 
 
 
 
Expand article

Bots + Web Vulnerabilites - An Approaching Storm

2008-05-15 21:55:13 by Bill in Grumpy Security Guy
 
...XSS and CSRF So here is the attack Find a few permanent XSS vulnerabilities in some high traffic sites Find some CRSF vulns in popular blog and forum software Craft your payload Profit So the bot software basically sits back and waits until the computer it is on visits a vulnerable site and then places it payload in the vulnerable spot. It...
 
Tags: vulnerabilities, permanent xss vulnerabilities, xss, sql injection, attack shortly, attack, mass sql injection, web vulnerabilites, browser vulnerabilities
 
 
 
 
Expand article

Automating web application security testing

2007-07-16 11:40:00 by Panayiotis Mavrommatis in Google Online Security Blog
 
...XSS) is the term used to describe a class of security vulnerabilities in web applications. An attacker can inject malicious scripts to perform unauthorized actions in the context of the victim's web session. Any web application that serves documents that include data from untrusted sources could be vulnerable to XSS if the untrusted data is...
 
Tags: web application, application, input, input parameters, accepts user input, xss, xss vulnerabilities, security, security team check