Whois XSS

Last night one of my friend, Robin showed me this link : http://www.blackhatdomainer.com/whois-xss/ (and I also found this on RSnake’s Blog)

I noticed that the XSS was actually same with mine. Here is the article I posted : Don’t Whois My Domain

This remind me a funny thing :D that is when the Administrator of the Domain Registrar found out this XSS, he didn’t suspend my account though! But he did change my name (if I remember it correctly :P ) to “I am a gay” Geez, he sucks! haha. And it’s patched since September, 2 month or so after my founding.

And this tells Indonesia official Domain Registrar in some aspects better than other countries Domain Registrars, at least they are not vulnerable to Whois XSS :P

By : Zoiz [at] http://zoiz.web.id

Posted in Whois XSS | 5 Comments »
Blog Engine Upgraded

Hi there.. I’ve just upgraded my blog engine to Wordpress 2.3.2 to fix some bugs and enhance the functionality. I’ve also installed several plugins. Thanks for your visit.. Happy New Year 2008 and GBU always~

And yeah forgot to mention, someone left a hidden message to me on the bottom, well just let it there as a memorandum^^

Posted in Blog Update | 14 Comments »
WordPress Dashboard Bug

This morning I found a bug on WordPress Dashboard that will (maybe will) cause the server overload. Here is the screenshot :

I’ve email WordPress Team the detail :)

Bug Report By : Zoiz[at]HackingForte.org

Posted in IT News | 8 Comments »
Relax!

Follow this link for quick laugh :P

http://zoiz.web.id/olahraga

A movie list

Posted in Tips | 1 Comment »
Cross Site Request Forgery (CSRF)

Cross Site Request Forgery, known as CSRF is a type attack that uses the trust of a website to an user, to forge an illegal request or command. To brighten up you, let’s see this example :

Mr. Jo is a customer of Bank A. He signed up to e-Banking service a couple days ago. Zo is the attacker. In some way, Zo managed to trick Mr. Jo visits his site. The site contained an CSRF image that link to Mr. Jo e-Banking account panel, and it crafted a forgery request to transfer fund. Because Mr. Jo login cookies hasn’t yet expired, so the the e-Banking system executed the request. And Mr. Jo became a victim of CSRF attacks.

This can happen because of several factors :

  1. Mr. Jo didn’t completely log out from the e-Banking system
  2. CSRF bug on the e-Banking site
  3. Mr. Jo was tricked to visit a malicious site that was set by Zo

Here I provide you a live example of CSRF (No worries, it just log you out from your Gmail Account) : Read the rest of this entry »

Posted in CSRF | 7 Comments »
Leaving Unused Site Online : Bad Idea!

This short article will let you know why leaving an old or unused site online is really a bad idea. You’ll know why by seeing this :

SQL Injection on TelkomSpeedy old CMS :
httpp://www.telkomspeedy.com/new/product.php?section=program&id=1%20UNION%20
SELECT%20id,%20gambar,%20judul,%20isi,%20tanggal%20from%20speedy_press–

Let’s say their new CMS is 99.99% free of bugs, but people can still own them from their old CMS. This could be a big security hole. I hope they will read my blog and close it immediately :) And this issue apply to Indosat as well. I’m not sure that other big company doing so, it’s really a bad idea though.

Original Idea by Zoiz [at] HackingForte.org

Posted in Tips | 5 Comments »
Microsoft Windows Tweaks – Part II

Microsoft Windows Tweaks – Part II

Hey there, it’s me again! In Microsoft Windows Tweaks Part II. OK this tweaks is originally, I found it myself. If you found this from other site, it’s usual, because it’s the only entries provided by Microsoft! Because now I’m too lazy, I’ll not embedding pictures :( but don’t worry I’ll add much information as possible. The next part, I’ll minimalize more as you’ve got an introduction for regedit in part I. Sorry :D This is a bunch of tips only. You can find more of mine from Google :P

Notifier for Newly Installed Application
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Entry: Start_NotifyNewApps
Type: REG_DWORD Read the rest of this entry »

Posted in Tips | 9 Comments »
Google? Google!

Let’s talk about Google this time. Each time I visit Google WebMasters Dashboard and check search queries that hit my blog, I always saw something funny. Yeah, they are irrelevant keywords. I’ll mention some funny query, let’s see ;)

query : koran di batam
http://www.google.com/search?hl=en&q=koran+di+batam&btnG=Search

Which Zoiz blog is on the top of the search result

query : sekolah di batam
http://www.google.com/search?hl=en&q=sekolah+di+batam&btnG=Search

Zoiz blog also landed on top of the search result

query : telkomspeedy
http://www.google.com/search?hl=en&q=telkomspeedy&btnG=Search

Zoiz blog is on the first page with the title “Hacking TelkomSpeedy” ouch! what if Telkom see this? :P

query : cracking yogyafree
http://www.google.com/search?hl=en&q=cracking+yogyafree&btnG=Search

Ahh, I never tried to crack Yogyafree!! Oh mas Jerry you must understand this! :P

But this one is relevant, which makes me feel good

query : tips for making passwords
http://www.google.com/search?q=tips+for+making+passwords&ie=utf-8&oe=utf-8&aq=t

This keyword make Zoiz blog on top of Google Search competing with 7.24 million results!!

Well, Google did bring me dozens of visitors each day. I’ll write a tutorial about how to make a Google Friendly site next time. Thanks Google!

Regards,

By : Zoiz [at] HackingForte.Org

Posted in Tips | 24 Comments »