Zoiz Blog

First of all, this post is for Indonesian therefore will be written in Bahasa Indonesia. Sorry for English readers

Para pengunjung blog yang terhormat, pernah merasa bingung tidak pada saat memilih mobil? Misalnya memilih merek, memilih model, dan tentunya memilih harga. Pada saat ini, terdapat banyak sekali merek mobil seperti Toyota, Honda, Mitsubishi, Hyundai, dan lain sebagainya. Tetapi pilihan saya tetap mobil Toyota, selain sparepart gampang didapatkan, juga keawetan mesin sudah teruji. Dan paling penting harga resell (harga seken) juga ga jelek sekali lah

4 tahun lalu saya membeli mobil Toyota Corona, harganya sekitar Rp. 58.000.000 dan beberapa saat dulu saya jual, tau ga harga pasarannya berapa? Rp. 74.000.000,- Naik sekitar Rp. 16.000.000,-. Hehehe. Yup, karena pada saat saya membeli FTZ masih berlaku, sedangkan pada saat saya jual kemaren FTZ sementara dicabut, sehingga harga mobil Ex Singapore naik drastis. Lumayan kan?

Sekarang bingung juga nih karena ingin meng-kredit atau menyicil mobil baru tapi bingung mau pilih yang mana diantara 3. Ada 3 model mobil yang akan saya bahas disini, yaitu : Read the rest of this entry »

Sometimes when I develop web applications, I’ll feel not good if I am asked to allow HTML in user inputs / outputs. What scares me? XSS I think.

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>
…
***XSS code may be embedded here***
…
<script src=”/foo/bar.js”></script>
…
</html>

The XSS is something like this : Read the rest of this entry »

I found this article when I search for one of Albert Einstein quotes after I watched the movie “The Happening”. A cool movie to me. If you are one of this earth citizen, and want to know our earth’s current condition, read this carefully.

Earth Day is almost here. I don’t believe in Earth Day myself. I think it’s a little silly to devote one single day of the year to being concerned about the environment, but I suppose one day is better than no day at all. Read the rest of this entry »

It’s been 3 weeks since my last post. Lots of things happened, and of course good ones. The good news recently is that I am going to be a lecturer in Universitas International Batam teaching ‘basic’ Internet Security subject.

A week ago, I got a call from Mr. Ronny Juwono, SPd, MT (the Head of IT Courses of UIB). A little shock + happy (shoppy?? ) when he asked me to lecture at UIB for the subject Internet Security. Wow, sounds cool! And so I went to UIB to meet him the other day. Yes, he told me his very (awesome) mission is to teach students of UIB the awareness of Internet Security. (I knew that this subject was never taken seriously). Good foresight and a really good start.

As I alwyas thought that I am not qualified, but I’ll always try my best bringing the latest technology to UIB students.

Another good news is my best pal, Robin Kordinata married with Devi. Lovely couple!! I went to the wedding party with a bunch of my (evil) friends and bring our best wishes to Robin & Devi. I am really happy that day (got a little bit drunk , oh my!). A new baby is on the way to this world Yes, we are all waiting for the good news! Hehe

And yes, Mr. Buchin get married last week. Wish him and his bride a happy couple till the end And of course, another baby is on the way to this world

And of course another good news is I good a new project on hand, and that’s why I can barely have time to update my blog. But I’ll be back soon! So stay tune!

So lots of good news isn’t it? Tell you a secret, when you want yourself to be happy, you’ll be happy!

I’ve been very busy doing some project out there and so I can barely have time thinking or doing something new. Now I am back here again to share my ideas on this very little blog. This time I will talk about Browser Based Distributed Denial Of Service.

This might not be a new topic here, but I found out that my visitors are hardly interested with this topic. And I ever discussed this with RSnake a little bit, and he seems to be not interested too. I’ll use this article to show you the “yo” side of a browser based DDoS payloads.

If you haven’t read my previous articles, you might be interested to take a peek on them.

• Using CSRF to launch Denial Of Service, or
• CSRF on SiteMap Generator Site = Denial Of Service

The point / main purpose of using CSRF to Denial Of Service is the attacker uses your browser capability to do malicious request without you knowingly to launch a Denial Of Service to one or more targeted victims. Thus you might become the zombie computer by simply visiting a malicious site.

It’s not without prove. This morning I tried to launch a DoS to one of my site. And the result was within 5 minutes, I got a warning that telling that my site was suspended due to CPU usage exceeded. And it was down for approximately 10 minutes. And when I took a look into the log, I notice that actually this technique execute >4500 pages from my site within a few minutes. How is the payload? Here is the screenshot :

And my site was suspended as the result :

So next time you visit new sites, please take more cautious. Browse the Net using No-Script is very recommended.

Thanks!

By : Zoiz – http://zoiz.web.id
Nothing is Secure

This Might Be The Biggest Ever Zero Day Vulnerabilities Reported in Indonesia From the View of it’s Impact.

Register.net.id is a .id domain registrar of Indonesia. It provided Indonesia webmasters domains at affordable prices (But I got this domain for FREE – promotion period only!! ). Since it’s a domain registrar site, so it can be considered as a very important site in Indonesia. It serves webmasters in Indonesia for their .id domains need with approximately more than 40.000 active domains, which is a huge number.

One of the term to apply a .id domain is that user must upload his/her personal information thingie like Personal Identity Card, NPWP, SIUP, SITU, etc. Depend on what kind of TLD he/she wanted. For example, to request a .web.id domain, an user must upload his/her Personal Identity Card (KTP). And so are other kinds of TLD. Read the rest of this entry »

Just now Arie asked me whether I knew about Wordpress 2.3.3 Hidden Link Injection or not. Actually I don’t know anything about that on WordPress 2.3.3 before he asked me, because I was ongoing my seven fcuking days. After doing a small search, and I found out things are going to be more and more interested.

After I read what Luca posted on his blog, and doing some small research, I found out (but not 100% sure) that there might be an Automated Script (Worm) running out there targeting some outdated WordPress Powered Blogs.

To see how many victims there are out there, you can use this Google Search Keyword. There are 7000 victims (unTechy said) on 28 March, and it’s 3x more victims today. You can see how fast the infection is!

I still haven’t figure out how they did it, but I am pretty sure that updating your Wordpress to the newest version is the easiest way to prevent this attack. I’ll do some writeup once I get enough information. SO my advice is that you should upgrade your WordPress, and change your password (your password hash might be stolen) as soon as possible!

Zero Day phpBB3 Exploit (XSS via PM). Content Temporary Removed~

Thanks,

Zoiz