Zoiz Blog

It’s been couple of weeks since my last post. I’ve been very busy managing my newly set up company. And I think it’s time to post another (lame) article right here on this very (lame) blog.

After reading “Thousand Ways to SQL Injection“, people started to ask me whether it is possible to launch a SQL injection using XSS? Some of them questioned me about the possiblity of it, some of them don’t even believe it’s possible. And well some of them say that’s gonna happen but don’t know how or never came accross one.

Let’s take a look at the following ‘fictive’ (and lame) scenario of SQL Injection using XSS :

As we know that site abc.com uses GoodGoodCMS_v1.0 as their Content Management System. Mr. Z, the attacker, found out that GoodGoodCMS has a XSS flaw on the admin page. But well there is nothing much to exploit since GoodGoodCMS doesn’t uses Cookies as the authentication method. But Mr. Z did found out that the GoodGoodCMS uses Cookies values in SQL Query without a proper filter.

Guess what? Mr. Z pull a XSS and insert something like this:

<script>document.cookies=”1; UPDATE admin_table SET password=\’yihaa\’ WHERE id=1″;</script>

This is my concept of SQL Injection using XSS. Correct me if I am wrong, and you are very welcome to shout your ideas about this topic here.

Thanks

Zoiz – http://zoiz.web.id

Sometimes when I develop web applications, I’ll feel not good if I am asked to allow HTML in user inputs / outputs. What scares me? XSS I think.

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>
…
***XSS code may be embedded here***
…
<script src=”/foo/bar.js”></script>
…
</html>

The XSS is something like this : Read the rest of this entry »

Ever saw something like this :

We noticed you arrived on Bla3.com searching for “GOD Sighting”
You might find additional content on those search terms at this site search link

The page echo your search strings. What if :

inurl:thevulnsite.com intext:<script>alert(/xss/);</script>

How to use? CSRF is the answer. Remember that XSS & CSRF are pal

Thanks,

Zoiz
http://zoiz.web.id

If you are using WP-StatPress plugin (1.2.9 or below) on your WP blog, you might need to take a look at this :

php Line 1146 : $referrer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ”);

This might pull a XSS out of your admin page if a malicious user spoof the a referer URL into something like this : http://bla3.com/’>”><script>alert(/XSS/)</script>

You might either update your Statpress or fixed it yourself by sanitizing the $referrer.

http://wordpress.org/extend/plugins/statpress/

Credits flies to : Rogério Vicente & Daniele Lippi

This is rare, but there is one. A live XSS out there on one of Yahoo!’s portal (Found by Lokipaki). And the XSS is base64 encoded. When I tried the XSS myself, I felt a little shocked because this XSS actually bypassed No-Script plugin.

Here is the Proof of Concept :

http://bbs.cn.yahoo.com/searchApplyBoard/PHNjcmlwdD5hbGVydCgiWFNTLWJ5cGFzcy1Oby1TY3JpcHQiKTwvc2NyaXB0Pg==.html

Result :

XSS on Yahoo over No-Script plugin. It’s a triple kill! I know Yahoo! is in the No-Script white-list, but I thought No-Script was supposed to block this XSS anyway. What do you think?

This Might Be The Biggest Ever Zero Day Vulnerabilities Reported in Indonesia From the View of it’s Impact.

Register.net.id is a .id domain registrar of Indonesia. It provided Indonesia webmasters domains at affordable prices (But I got this domain for FREE – promotion period only!! ). Since it’s a domain registrar site, so it can be considered as a very important site in Indonesia. It serves webmasters in Indonesia for their .id domains need with approximately more than 40.000 active domains, which is a huge number.

One of the term to apply a .id domain is that user must upload his/her personal information thingie like Personal Identity Card, NPWP, SIUP, SITU, etc. Depend on what kind of TLD he/she wanted. For example, to request a .web.id domain, an user must upload his/her Personal Identity Card (KTP). And so are other kinds of TLD. Read the rest of this entry »

Do you know or have you ever used ZoneAlarm, a product from Check Point Software Technology?

ZoneAlarm is one of the most secure brands in End User Internet Security software. It’s developed by Check Point Software Technology Company. It protects over 60 million PCs from viruses, spy-wares, hackers and identity thefts. The award-winning Internet Security product line is installed in end users PCs and small businesses, protecting them from Internet threats.

Although Check Point Company provides Internet Security service, but their web system is not 100% secure at all. I have found some critical vulnerabilities even on their own official site!! Read the rest of this entry »

Once you see the title you might have already know what this article is about. Yeah! Injecting some candies into your browser UserAgent might launch a XSS attack. Here’s how to do it :

Read the rest of this entry »

This could become a massive vulnerability since many sites or blogs out there allow user to post image on their article’s comment. As my small research, I found out that we could launch a HTML Injection, XSS and even CSRF attack to sites that vulnerable to this. Here is the PoC :

Read the rest of this entry »

When I was browsing Lain’s Blog, I saw a web based tool to scan your web application vulnerability of XSS and HTML Injection developed by SEO Egghead. Although it’s old, but maybe it’s still useful.

Here is the review :

Read the rest of this entry »