Some bullsh*t from me

Howdy my blog’s readers! Did you notice my blog title changes? Before it was : “Zoiz Blog : A Web Application Security Blog”. And now, “Zoiz Blog : Was A Web Application Security Blog”. Well, it means that I can no longer barely have time to do research in webappsec. It’s a lame blog anyway, cheers :)

BITS (BatamCity! IT Solutions) founded by me and co-founded by Mr. Feny, is a company operates in Information Technology Solutions, just like it’s name :) We develop Web Application, Intranet Application, Inventory & GL system, logo design, training and consulting.

Beside working at BITS, I am also a Lecturer at Universitas International Batam (UIB) teaching “Internet Security”. And I am going to be the speaker on the coming university seminar (Webappsec Related topic).

I just got my degree as “Sarjana Komputer” or something like “Bachelor of Science” recently.

Graduation

These are the jobs that keeps me busy from blogging. But I’ll still go blogging when I have time ;)

And this is the picture taken at the first Hackers Day events (What the hell?! Wasn’t I supposed to post this 3 months ago?? HAhaha. Sorry guys, better late than never :P )

We, at hackers day event
From Left to Right : Calvin, Zoiz, Th0R, FamilyCode, Izal, JKR, Eric, ??

That’s all folks.

Posted in Life, Social Life | 14 Comments »
SQL Injection using XSS

It’s been couple of weeks since my last post. I’ve been very busy managing my newly set up company. And I think it’s time to post another (lame) article right here on this very (lame) blog.

After reading “Thousand Ways to SQL Injection“, people started to ask me whether it is possible to launch a SQL injection using XSS? Some of them questioned me about the possiblity of it, some of them don’t even believe it’s possible. And well some of them say that’s gonna happen but don’t know how or never came accross one.

Let’s take a look at the following ‘fictive’ (and lame) scenario of SQL Injection using XSS :

As we know that site abc.com uses GoodGoodCMS_v1.0 as their Content Management System. Mr. Z, the attacker, found out that GoodGoodCMS has a XSS flaw on the admin page. But well there is nothing much to exploit since GoodGoodCMS doesn’t uses Cookies as the authentication method. But Mr. Z did found out that the GoodGoodCMS uses Cookies values in SQL Query without a proper filter.

Guess what? Mr. Z pull a XSS and insert something like this:

<script>document.cookies=”1; UPDATE admin_table SET password=\’yihaa\’ WHERE id=1″;</script>

This is my concept of SQL Injection using XSS. Correct me if I am wrong, and you are very welcome to shout your ideas about this topic here.

Thanks

Zoiz – http://zoiz.web.id

Posted in Concept, SQL Injection, XSS Corner | 4 Comments »