Security reporting the productive way 0

This morning I reported an XSS-vulnarability to mugshot. An hour later I got a response, that they are investigating the issue and deploying a fix. Six hours later the fix was deployed and I was notified again. This is exemplary!

Filed on 22-10-2007, 16:04 under , , & no comments & no trackbacks

XSS-exploits filtered by person 0

xssed.com is a directory for XSS-exploits You can submit your exploits and they got listed and – most important – a copy of the exploit is archived. Of course it is a bit a challenge but it is also useful to keep track with the vendor reactions on your exploits. There is one thing missing, a personalized RSS-feed, which just renders the exploits of a certain author. But there is Yahoo Pipes, at the end a pretty impressive program hosting service, which basically provides tools, filters and operators to be chained to remix content. I’ve played around with it months ago, but never had a real usecase. Now I had and I implemented a pipe for creating an newsfeed from xssed.com. As a result, you can follow my exploits on the startpage.

Update xssed.com is currently blocking requests from the user agent Yahoo Pipes 1.0 which I find pretty sad. I try to get in contact with the xssed.com staff.

Filed on 12-10-2007, 01:01 under , , , & no comments & no trackbacks

Easy friend-finding for social retarded 0

Found an XSS-injection on Qype which has enabled a user to inject malicious JavaScript into his profile in order to automatically become a friend of every visitor. As Qype is implemented in Rails they are using Prototype as a JavaScript library which made it pretty easy to implement a fitting exploit:

"><script>new Ajax.Request('/contact/create?to_user_id=16992', {method: 'post'})</script>

Qype has fixed the issue.

Filed on 26-06-2007, 10:10 under , , & no comments & no trackbacks

XSS holes on dapper.net 0

Dapper is a web service which provides webservice creation on the fly. You can create your own APIs, feed etc. by just meshing selected areas from different websites. It is pretty similiar to Yahoo Pipes. Switch/Twitch already pointed out, that dapper completely breaks the same origin policy, which is the basic security concept for rich web applications (it is partly broken by Flash anyway, but this is written on another sheet of paper). But even worse, dapper itself was vulnarable against XSS injections which I found out two weeks ago. The vendor replied quickly and fixed the issues I had demonstrated. The combination of breaking the same origin policy and vulnarabilities on dapper is pretty dangerous. Hopefully the developers really know that they are playing with fire.

Filed on 20-06-2007, 20:08 under , , , , & no comments & no trackbacks

Intrusion detection for PHP 4

A local startup, Ormigo, launched PHP IDS, a PHP-based intrusion detection system. It was written by Mario Heiderich and christ1an (who did the regular expression magic). The outstanding difference to approaches like mod_security is that it is purely PHP-based and can be integrated into your application. It basically takes a user submitted content array ($_POST, $_GET, $_COOKIE) and applies a certain set of regular expressions. When I read about it on Oliver Thylmanns Weblog I was really fascinated by the idea and started playing around with it. I’ve submitted a number of patches and proposals and started a branch to introduce a more convenient result handling which was merged back into the trunk a few hours ago. There will be a release in the next weeks and I’m looking forward on helping to make this project grow up.
Just for the record: after christ1an asked me for whom I’m working for he found a nice XSS on Neu.de which was fixed on monday. Thanks again for the hint, christ1an.

The PHP IDS subversion repository: http://phpids.googlecode.com/svn/trunk/

Filed on 15-05-2007, 22:10 under , , , , , & four comments & no trackbacks

The Snap.com virus 0

The ugly Snap.com widgets occupating a lot of weblogs currently and provide annoying and useless mouse-over previews of the website you are going to visit when you slide over a link. But they have also other problems.

Filed on 25-02-2007, 19:07 under , , & no comments & no trackbacks

Live vom Webmontag 0

So, gerade nen Vortrag über webnews.de gehört. Ich habe nicht so genau verstanden, was die machen, aber ich habe das da gefunden:


Es scheint so, als hätten sie das Problem behoben. Jetzt warte ich nur noch auf meinen Milchschäumer. Aber ich finde das cool, dass das so schnell ging!

Filed on 22-01-2007, 21:09 under , , , , , , , , & no comments & no trackbacks

Calm down 0

Found this bug a few weeks ago but marked it for myself as ugly but uncritical (Hannes will remember, used his blog as test environment). Until today I haven’t changed my mind, because you need a lot of luck to passthrough with this injection. Just a combination of missing Spam-Karma and stupid blog-owner does the thing. So, calm down. Nevertheless: Wordpress is a great bughole, you won’t use it.

Filed on 02-03-2006, 13:01 under , , , , , , & no comments & no trackbacks

Webmontag Frankfurt 14

»Schon besser« wäre mein Fazit. Nachdem ich zum ersten Webmontag in Köln noch fleißig herumgepöbelt habe, konnte ich es trotzdem nicht lassen, wieder hinzugehen. Diesmal sogar mit eigenem Vortrag (mit fukami) zu Sicherheit im Web 2.0. Angelegt klarzumachen, dass mit dem Paradigmenwechsel von der Content-zentrierten Anwendung hin zur User-zentrierten auch einige neue Gefahren auftauchen, besser gesagt alte Gefahren in neuen Gewändern, und ausgebaut als kleiner Rant über existierende Probleme. Meinen ausdrücklichen Dank an Nico Wilfer für seine Coolness, zwei seiner Projekte als Demoobjekte herzugeben. Glaube nicht, dass das jeder so bringt, danke. Weitere Ergebnisse des Abends: Gerrit van Aaken ist didaktisch durchaus talentiert, sein Vortrag zu Typographie im Netz war spannend, Beate Paland gab eine wirklich gute Einführung (soweit ich das mitbekam) in Ruby on Rails, Moe ist auch live ne coole Sau und: es hat diesmal schon viel mehr Spaß gemacht.

Moe hält uns für nette User, Thomas Wahnhoff sieht unseren Vortrag unter den besten, poocs.de hat Photos, blogwinkel bringt meinen Realname und meinen Nick zusammen, sollte ich gleich verklagen (macht man heute anscheinend so), zu hören gibt es uns auch und die Folien stehen nun auch online (Live, Tarball).

Filed on 07-02-2006, 07:07 under , , , , , , , , , , , , & 14 comments & one trackback

The other side: Security 2.0 alpha 2

Talk on Webmontag is over. Now it’s time to publish some security related issues I found out over the last weeks.

Continue reading "The other side: Security 2.0 alpha"

Filed on 07-02-2006, 00:12 under , , , , , , , , , , & two comments & two trackbacks

Shit happens 0

Just now I want to release a shiny new version of my bBcode-implementation but then I found a serious JavaScript injection hole in there. So you have to wait.

Filed on 02-02-2006, 22:10 under , , , & no comments & no trackbacks

Security 0.1 0

Maybe LiveJournal should employ someone who knows something about web security. Read more …

via Fukami

Filed on 21-01-2006, 15:03 under , , , , , , , & no comments & no trackbacks