As a professional penetration tester, [...]
The JSON service responds to GET requests , and there is a good chance that
the service is also vulnerable to JSON Hijacking attacks.
That's... not how XSSI works.
To have a script inclusion vulnerability, you need to have a vanilla
GET response
A hacker exploits a JSON (javascript) object that has information of interest
for example holding some values for cookies. A lot of times that exploits the
same policy origin. The JSON object returned from a server can be forged over
writing javascript function that create the object. This
Is this treated with the same way that says that Remote File Inclusion is not
a security issue ?
I'm not sure how RFI came into play on this thread - the original
report wasn't about RFI.
I don't have an agenda here; I'm just trying to get to the bottom of
it and make sure that we converge on
The thread read Google vulnerabilities with PoC. From my understanding it
was a RFI vulnerability on YouTube, and I voiced my support that this is a
vulnerability.
I don't think this is accurate, at least based on the standard
definition of RFI: a server-side scripting language - usually
Zakewski,
Thank you for your e-mail. I welcome all opinions, that are backed up by
evidences.
I am not just a security researcher, I am also an academic in the field and
lecturer.
All right :-) Thank you for the overview of CIA triad. I don't think
there's a good probability that our
Oh, wow :-)
To put things in perspective, it probably helps to understand that
virtually all video hosting sites perform batch, queue-based
conversions of uploaded content. There is a good reason for this
design: video conversions are extremely CPU-intensive - and an
orderly, capped-throughput
The only reasonable way to 'exploit' the bug is using youtube as a
personal storage uploading non-video files to your own profile: so what?
That would require a way to retrieve the stored data, which - as I
understand - isn't possible here (although the report seems a bit
hard-to-parse). From
If you were evil, you could upload huge blobs and just take up space on the
google servers.
Keep in mind that the upload functionality is there legitimately: you
can upload gigabytes of data to Youtube, Drive, Gmail, etc.
/mz
___
Full-Disclosure -
Nicholas,
I remember my early years in the infosec community - and sadly, so do
some of the more seasoned readers of this list :-) Back then, I
thought that the only thing that mattered is the ability to find bugs.
But after some 18 years in the industry, I now know that there's an
even more
Looks like root and intermediate certificate hashes to me
I was guessing it was hashes to either one pre-compiled exploit with two
architectures
No, if you look closely, it's pretty clear that it's a hash of
Gaurang's upcoming novel. A touching story of love between a vampire
and a small-town
What is your exact concern?
One should obviously not enter their Facebook credentials while the
address bar shows darksecurity.de; after all, instead of framing
Facebook, you could just create a fake login form that looks just like
theirs.
Clickjacking is a distinct concern, but generally only
That page allows drag-and-drop of the user's name. If you can convince the
user
to select his name with a triple-click and then do a drag-and-drop of that
name to
some place outside the iframe, you can find out his name, so I'd say it's a
privacy
leak.
I had something to do with Chrome,
But I wouldn't consider it a failing on part of the targeted website -
you'd need to put essentially everything behind XFO to fix this
problem on application level, which is not feasible for a good number
of websites (including FB, because they have a variety of gadgets that
are meant to be
Doesn't Google always send JSON with Content-Disposition: attachment or so
because of that?
One of the reasons (there's also content sniffing, etc). But then,
consider view-source:, too - you can use it in Firefox to render the
source of a HTML page in a frame (Chrome no longer lets you use
Dearly beloved,
So, for one reason or another, the IJG jpeg library has gained some
notoriety as one of the most robust pieces of complex,
security-critical C code. Despite countless fuzzing efforts, I don't
recall any reports of serious vulnerabilities at least since the
release of jpeg6b in
for doing this features in httpd.conf you can use AllowOverride None instead
of AllowOverride all
AllowSymlinks is a red herring here (hardlinks should do, unless you
have stuff partitioned in a very thoughtful way, which most don't),
similarly to suexec.
In general, sharing web hosting
I.e. this is 21 times / infinite times more effective for attack.
Not really, in terms of the bandwidth you can use up / the number of
requests you can create. You're essentially trading this:
for (var i = 0; i whatever; i++) {
var x = new XMLHttpRequest(); /* or new Image() or whatever */
Attack exactly overload web sites presented in endless loop of redirects. As
I showed in all cases of Looped DoS vulnerabilities in web sites and web
applications, which I wrote about during 2008 (when I created this type of
attacks) - 2013.
You do realize that any browser can be made to
Total word count: ~1065
Words that provide relevant information about the bug: ~95
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I guess this may be somewhat amusing...
As you probably know, most browser vendors have fixed the ability to
enumerate your browsing history through the CSS :visited
pseudo-selector. The fix severely constraints the styling possible for
visited links, and hides it from APIs such as
CVSS2 define a standard XSS ~4.3/10, more critical are CSRF ~6.8 or Open
Redirect ~5.8
head explodes
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
This is fairly well-known, I think; for example, there's a mention of this
here (search for appspot.com):
http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html
I think it's also covered in The Tangled Web; it's also why you see
domains such as blogspot.com and appspot.com in
OGMMM WTFF 0DAY XSS
Sorry, getting a bit tired of these.
Well, the world is changing. You can probably do a lot more direct damage
with a (legit) XSS in a high-value site than with a local privilege
escalation in sudo.
XSS reports are less actionable for the average reader, but full
I would be interested what bounties they would pay
for operation Аврора or for a botnet of say 1M host.
Reward amounts are public; for example, here are the rules for the web
app program:
http://www.google.com/about/appsecurity/reward-program/
Neither malware on user machines nor attacking
His question seemed pretty clear to me. As indicated in the article he
linked to, Google apparently raised their bounty/reward. He's asking if
something happened to one of their products to cause that, or if they're
just paranoid (and maybe expecting something to happen to one of their
The only thing I am saying is that when you have a choice between
direct root logins and using sudo / su, telling people to use the
latter option for security reasons actually makes them worse off.
Poor corporate security practices, schizophrenic account lockout
policies, or dealing with hundreds
Using su to execute commands as an untrusted user from an interactive
shell may allow the untrusted user to escalate privileges to the user
running the shell.
If you have the ability to execute code on that terminal before the
user executes su, it is also possible to simply never allow the
I think you've taken that far too literaly. My understanding of it is to
protect against a) brute force retardation b) dumb attackers.
The advice weakens the security of your system, because it means I
just need to compromise your unprivileged account (in which you run
your browser, mail
Wikipedia says 5 months: http://en.wikipedia.org/wiki/Responsible_disclosure
Well, the encyclopedia has spoken. So it's settled then.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
Another moderately interesting tidbit, I guess...
It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with
IMHO, anyone who willingly, knowingly places customer data at risk by
inviting attacks on their production systems is playing a very dangerous
game. There is no guarantee that a vuln discovered by a truly honest
researcher couldn't become a weapon for the dishonest researcher through
A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from
the researcher. [...] and yet they only pay a nice researcher 20
grand? You can't even live on that. Researchers aren't just kids
with no responsibilities, they have
Our interest is exploits which run over Windows 7, Snow Leopard with
applications such MS Office, Adobe, Browsers, Media Player , Notepad etc
Well, good thing I have a stash of Notepad 0-days.
Most of them involve you saving a snippet of text as evil.bat and
clicking on it, though.
/mz
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
I suspect I know how the debate will be shaped - and I think I can
offer a personal insight. I helped shape our vulnerability reward
program from the start
I find it very unfortunate that 300 supposed security professionals clicked
on a hidden link like that without first checking what it was, or if not
simply ignoring it like I did!!!
So how do you meaningfully check what it is without actually
requesting the document?
And what's the difference
The only other people that see the vulnerability are the select few in
upSploit.
OK. You should probably document that, and make it clear that this
policy will not change without the reporter's explicit consent.
It's an interesting project - but you guys are working for security
software
Without meaning to advertise, that is one of the reasons upSploit was
created - so that you could submit a vulnerability and then upSploit
automatically sends to the vendor. This way you and your friend don't have
to do any of the work on the disclosure.
I clicked around and don't see any
Does 'Access-Control-Allow-Origin' header provide any benefits in
defending against cross site scripting attacks?
No. It's a mechanism to control cross-origin XMLHttpRequests (and some
other peripheral things), and adding it does not reduce the likelihood
or exploitability of XSS bugs.
If you
So just for the record, version 3.00 is now officially out:
http://lcamtuf.coredump.cx/p03/. Many thanks to countless people who
submitted signatures and bug fixes, including:
Phil Ames
Jason DePriest
Dalibor Dukic
Mark Martinec
Damien Miller
Nibbler
Bernhard Rabe
Chris John Riley
Hi folks,
I wanted to share the news of p0f v3, a complete rewrite and redesign
of my passive fingerprinting tool.
== Synopsis ==
P0f is a tool that utilizes an array of sophisticated, purely passive
traffic fingerprinting mechanisms to identify the players behind any
incidental TCP/IP
https://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf
From while (1); to APT in 10 posts. Good job :-)
/mz
___
Full-Disclosure - We believe in it.
Charter:
Do you think that the Firefox warning: unresponsive script is meant
as a security feature or a usability feature?
More seriously, though, it's a bit of an oddly-phrased question. Only
the author of the code knows the true intent; you can look up the
mention of this text in the code, and see
With the growing enthusiasm about CSP and other script containment
frameworks, I tried to put down some rough notes about the fundamental
exploitation vectors that would be available in absence of the ability
to execute scripts - and tried to see how these attacks correspond to
what XSS attacks
At the risk of annoying everyone...
I think we greatly underappreciate the extent to which JavaScript
allows you to exploit the limits of human perception. On modern
high-performance systems, windows can be opened, positioned, and
closed; and documents loaded and then navigated away from; so
Interesting stuff indeed. However, I don't see you talk about a solution.
Why is that?
Because it's bugtraq / full-disclosure, where people generally talk
about vulnerabilities...
I'm not sure I follow your drift about Firefox, I don't believe it's
mentioned anywhere.
Anyhow, correct me if
They may be in the minority, but there *are* users out there who know how to
look at the address bar. The security researcher knows this because he is
one of them. I call this group the competent and contentious users.
Sure. And that group is sort of safe when faced with open redirectors,
For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of the
microsoft.com window, and point it to evil.com? Heck, coredump.cx can
even wait until
I run with no script. So the links showed on the initial pages and when
clicked.
Yes, well, congrats ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life, and without getting in to monetary
philosophy,
I feel that in our current system, a person should be compensated for their
time if they've done something useful for society.
Is this an
_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open
redirectors (and replace
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period
http://lcamtuf.coredump.cx/cachetime/
OK, just for the record: I improved the original PoC quite a bit, and
added experimental variants for other browsers. I will shut up now.
/mz
___
Full-Disclosure - We believe in it.
Charter:
Evening,
This party trick is not particularly exciting, but hopefully
highlights a vaguely interesting point:
http://lcamtuf.coredump.cx/cachetime/
In essence, in the past few years, browser vendors have severely
crippled CSS :visited selectors in order to prevent CSS-based history
snooping
If you want to respect the license of this code you cannot include the
exploit in your software.
And don't get me started about my patent on NOP sleds!
/mz
___
Full-Disclosure - We believe in it.
Charter:
next time, i wont say shit, and, believe it.
Well it's just that the attack you are describing will be thwarted by
setting a sticky bit on /tmp, and you have not demonstrated otherwise.
/mz
___
Full-Disclosure - We believe in it.
Charter:
You can make it bypass Aslr ?
No, you are absolutely correct, this vulnerability can't be used to
bypass ASLR. Score one for address space randomization.
/mz
___
Full-Disclosure - We believe in it.
Charter:
I think someone fed bugtraq archives into scigen.
I thought we're doing Twilight fanfic instead?
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Actually, no; per user /tmp could only be accomplished, without a major
redesign and without breaking almost every application
[citation needed] ;-)
Only a fraction of apps uses /tmp... vendors can fix their own
distros: grepping for /tmp isn't complicated, and almost every
package usually
In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races,
what you should be doing is using pam_namespace or similar so each user gets
their own /tmp namespace.
That would result in counterintuitive behavior, I suppose... /tmp is a
fairly stupid and largely unnecessary
I believe that this is the best place to post the following hash values:
MD5Sum:a762a3b9cbfb3d63034646087680b254
SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580
SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5
No, for these specific hash values, I believe the
Good catch, but you didn't provide for a working exploit at the time.
Now I only see your name on the press. Why?
I don't know why this is in the news at all, let alone with any
specific attribution. Perhaps you wanted to ask the journalists?;-)
/mz
just for the record I have the impression that this not the same vulnerability
you outlined in your advisory a while back. It is more that the idea
for this vulnerability originated from your advisory, not the same bug.
I don't think this even matters, and I really don't disagree...
In 2007,
http://www.gossamer-threads.com/lists/apache/dev/401638
FWIW, I pointed out the DoS-iness of their Range handling a while ago:
http://seclists.org/bugtraq/2007/Jan/83
/mz
___
Full-Disclosure - We believe in it.
Charter:
Just ignore Mustlive. The rest of the list does.
Well, sadly, it leads to things like this:
http://www.securityfocus.com/bid/40487
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
[ But for what it's worth, I am willing to bet that the script was
added without analyzing these subtle considerations, and that makes it
somewhat scary on its own accord. ]
/mz
___
Full-Disclosure - We believe in it.
Charter:
Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The
script is run when the package installed, and anytime su executes the
script.
reseed(8) performs a unsecured HTTP request to random.org for its
bits, despite random.org offering HTTPS services.
This resulted in a couple of
Paradox are way of life... Hence, the goal here is to question every
knowledge with reasoning and trying-not to build a static opinion on
anything.
But have you tried contacting the vendor first?
/mz
___
Full-Disclosure - We believe in it.
Charter:
Cool. I got an Iphone 3GS. Consider me ex-user. GG Apple. Let me guess,
co-operation deal with NSA and the U.S goverment paid them some billion
dollars for that.
Totally. A vast conspiracy is the only possible explanation.
/mz
___
Full-Disclosure -
I would like to suggest that advertising for products and tools (free or
otherwise) be limited to just an initial announcement to tell people about
the tool.
Meh. Most authors keep the volume of their announcements low, and only
highlight genuinely interesting updates. I think it's beneficial
It's whatever, un-moderated means exactly that. No-one can tell anyone else
what to release/write. Period.
Of course you can. That's what the charter is for. Unmoderated means
simply that the charter is usually not proactively enforced (but even
that is hardly an absolute guarantee).
/mz
This one is from command line, maybe the next will be in
the server mode or whatever.
Man, I hope you never find out what Perl is written in...
/mz
___
Full-Disclosure - We believe in it.
Charter:
I believe that the IIIWorld War conflict might start in 10 months or
more from now.
It's hard to disagree.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
this is only true for remote attackers hitting network service auth.
Mhmm, and runas, su et al couldn't benefit from this?
Not a whole lot. You can likely tell a successful login from a failed
one within several miliseconds by watching /proc or so.
/mz
I mean, if these are the security industry's geniuses, why, what would the
writers of Stuxnet be?
...seriously?
Disclosing how their epic story simply involved SQLi, well, what about the
guys discovering 0days in native code?
Totally. I have long postulated that perl -e '{print Ax1000}' is
Also, I would say that even though randomly prodding exec arguments
with As isn't so elite, the space of the non-web is much more deep
and much more complex than the space of the web..
I think that sentiment made sense 8-10 years ago, but today, it's
increasingly difficult to defend. I mean,
If it did for Google, you're either mistaken, [...]
Huh, what? Where did that come from?
I would generally appreciate if we refrain from dragging it employers,
business contacts, etc, into what amounts to an exchange of personal
opinions.
However, calling it an all out myth is misleading, and
You and Ormandy have a lot to learn, still.
Oh, hai.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
You can't be high profile Google employees one minute and switch off as
personal entities the next, its pretty basic.
Thank you for pointing this out to me. Your concern has been noted.
/mz
___
Full-Disclosure - We believe in it.
Charter:
all apologies, that was not my intent in the least-- referencing the public
portion of the aurora stuff, which is part of the myth I thought you were
referencing.
Sure. The moment the discussion strays toward these topics, I am
obviously not at liberty to discuss them freely.
In general, I
FYI, here's a provisional advisory from Microsoft acknowledging this issue:
http://www.microsoft.com/technet/security/advisory/2501696.mspx
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
I woudn't like to discourage ppl submitting vulns to vendors but this is the
response you'll most likely to get from those kind of vendors no matter what
you found in their system. I had more than a dozen similar experience like
yours. Now it's public + fixed and you gotta get nothing beside
1.www.google.com app don't filter the CRLF
This is not strictly required; there are other scenarios where this
vulnerability is exploitable.
2.IE support mhtml protocol handler to render the mhtml file format,
and this is the why mhtml: is designed
The real problem is that when mhtml: is
Hi list,
== SUMMARY ==
I am happy to announce the availability of cross_fuzz - an amazingly
effective but notoriously annoying cross-document DOM binding fuzzer that
helped identify about one hundred bugs in all browsers on the market - many
of said bugs exploitable - and is still finding more.
These manufacturers use the same key on each of their models? That seems
ridiculous to me...
As a person who had a Siemens AP / router with a hardcoded, hidden
management account on it, I find your surprise entertaining ;-)
Craig, cool project.
/mz
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has noticed it? Or even questioned it? That's a bit hard to
believe.
Yeah, this totally never happens in the FOSS world.
http://www.theregister.co.uk/2009/08/14/critical_linux_bug/
/mz
sci.crypt would probably be the best place to ask. I imagine there's a
discussion already, but have not visited lately.
Have you been to the Usenet recently?;-)
/mz
___
Full-Disclosure - We believe in it.
Charter:
Hi folks,
Two minor things that do not deserve a lengthy discussion, but are
probably mildly interesting and worth mentioning for the record:
1) Chrome browser is an interesting example of the perils of using
minimalistic window chrome, allowing multiple windows to be spliced
seamlessly to
1) Yup, pretty unconvincing. Though one could separate window shadows,
I'm guessing you have your window manager configured to render window
shadows. In this case, this is less plausible, yup, unless you do the
inverted gradient trick.
2) Where is here? :)
I tried to dig something up, but
Hi folks,
Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected
grep -r ACIDBITCHES *
This code has two very obvious detection bypass vulnerabilities:
1) It fails to scan dotfiles in the starting directory,
2) It can be tricked into not producing any output by creating a file
named -q in the starting dir.
Let me fire up my vulnerability research
This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
while ago; they are apparently fixed, but I don't recall seeing any
public vendor advisory / credit for reporting them - so here you go,
even if just for the record...
These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5,
And the political spin: companies get away with shipping broken
software and residing in (1) and (2) above because there are no
software liability laws, even though software enjoys intellectual
property protection. Reason: In America, corporate America bribes the
legislature (err, makes 'PAC
For once and for all: There is no such thing as a zero-day
vulnerability (quoted), only a 0-day exploit...
Cool story, bro.
Any thoughts on the use of the term hacker?
/mz
___
Full-Disclosure - We believe in it.
Charter:
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
Eh, you can see where it came from though. Design bugs like this are
absolutely miserable to fix (see how we'll never get rebinding out of the
browser) and letting identical IP's script against eachother lets an awful
lot of legitimate traffic through while blocking almost all attacks.
Please, try to figure out the difference b/w exploitability and vulnerability.
Here's my definition
Exploitable vulnerability = vulnerability
Non-exploitable vulnerability = mental masturbation
HTH,
/mz
___
Full-Disclosure - We believe in it.
Hi,
This may be of some interest to people on the list:
http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html
In general, there is a class of UI design problems that trace back to
the failure to account for the inherent limitations of human
cognition; the specific example
Err, the subject should read hijacking, not spoofing. Sorry, not
very awake today.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
It seems that corporate America's purchasing of politicians (err, PAC
contributions) has been well worth the investment. Legislation is such
that victims and shareholders both suffer after a breach.
* Heartland Databreach Lawsuit Dismissed
A COI knows no national boundaries.
Oh sure - but Jeffrey seems to be particularly critical of US
policies; I suspect this is unfair ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
1 - 100 of 225 matches
Mail list logo