tag:blogger.com,1999:blog-13756280.post8792206864054659317..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Calling all security researchers! Submit your new 2010 Web Hacking TechniquesJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger55125tag:blogger.com,1999:blog-13756280.post-69903279335457064452012-08-13T09:46:15.858-07:002012-08-13T09:46:15.858-07:00You guys shouldn't be posting advice to hack.You guys shouldn't be posting advice to hack. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82742000490241188712011-01-07T09:11:34.687-08:002011-01-07T09:11:34.687-08:00@shinto143: The back button attack you describe, c...@shinto143: The back button attack you describe, cool as it is, has actually been documented and demoed in years past. Don't have time to find the reference at the moment. And your Google Hacking concept has been around for a while, I don't see any "new techniques" described.<br /><br />@Marcus Niemietz: thanks for the submission. I can certainly add it to the big list, but can't get it voted on now since the process has commenced.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46644567002237730152011-01-07T05:52:37.594-08:002011-01-07T05:52:37.594-08:00I would like to propose my seminar work "UI R...I would like to propose my seminar work "UI Redressing: Attacks and Countermeasures Revisted".<br /><br />URL: http://ui-redressing.mniemietz.de/<br /><br />Thanks in advance.Marcus Niemietzhttps://www.blogger.com/profile/05855449018819534912noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22613655653457337292011-01-06T23:10:40.851-08:002011-01-06T23:10:40.851-08:00New google hacking techniques(Type the commands in...New google hacking techniques(Type the commands in google search engine.):<br />1. accessing public security cameras- <br />inul:"viewframe?mode=motion"<br />intitle:"Live View / - AXIS"<br /><br />2. Un spider sites:<br />"robots.txt" "disallow:" filetype:txt<br /><br />3. Front page user info-<br />inurl:_vti_pvt "service.pwd"<br /><br />4. PHP Photo album-<br />inurl:"phphotoalbum/upload"<br /><br />5. VNC user info-<br />"vnc desktop" inurl:5800<br /><br />6. Network printer-<br />inurl:"port_255" -htm<br /><br />7.PHP admin account-<br />intitle:phpMyAdmin "Welcome to phpMyAdmin***" "running on*as root@*"shinto143https://www.blogger.com/profile/08203825649611321194noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77328224799172095082011-01-06T22:50:15.169-08:002011-01-06T22:50:15.169-08:00I like to add a vulnerability which I found during...I like to add a vulnerability which I found during a gray box testing.. <br />Its a type of back refresh attack. For mitigating back refresh attack we use a 302 redirect in successful operation. But in one of my app i tested there was a password policy saying password cant change withing 30 days. attack is If the user try to change the password withing 30 days it will respond with a 200 ok response. For a successful change adversary cant do anything.. <br />But if the password changing failed due to some reason(password policy, new & conform password mismatch.. etc)attacker can exploit the back refresh option of the browser and can capture the request in proxy.shinto143https://www.blogger.com/profile/08203825649611321194noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20660329818820362642011-01-05T09:07:26.344-08:002011-01-05T09:07:26.344-08:00@zdx: "making the list" is subject to me...@zdx: "making the list" is subject to me finding it through my personal efforts or people submitting them on their own, with some light validation of course. That's a big reason for the effort, to capture everything that's been learned over the past year and not have it get lost in the ether as has been the problem in years past.<br /><br />If you can supply the best reference links to the attacks you mentioned, I'd be very happy to review them for inclusion on the big list. The CVE mention was just an indication that we want "new" technique, not individual bug instances.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54295086880521356012011-01-04T22:22:07.852-08:002011-01-04T22:22:07.852-08:00How come the best server side findings and techniq...How come the best server side findings and techniques (Struts/JBoss/Spring) from Meder didn't make into the list? . Also, where is the Java Trusted Method Chaining by Sami Koivu?<br /><br />You might argue with the "no CVE rule" but there is no clear cut between techniques and bug in these cases actually. For example, in order to have a successful attack on ASP.NET, POET need to exploit bug of ASP.NET implementation/configuration but you have POET on the list]zdxnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64851799862002318992011-01-04T05:54:03.360-08:002011-01-04T05:54:03.360-08:00Probably it's too late but still good to be in...Probably it's too late but still good to be in the list for the future reference:<br />-<br />Breaking HTML parsers for fun<br />http://www.thespanner.co.uk/2010/11/25/breaking-html-parsers-for-fun/<br />-<br />setTimeout and setInterval<br />http://www.thespanner.co.uk/2010/09/10/settimeout-and-setinterval/<br />-<br />JSReg bypasses:<br />http://www.thespanner.co.uk/2010/10/31/jsreg-bypasses/<br />http://code.google.com/p/jsreg/wiki/Exploits<br />http://rgaucher.info/planet/The_Spanner/2010/11/07/Soroush_Dalili_breaks_JSReg_again<br />-<br />x5s - test encodings and character transformations to find XSS hotspots<br />http://xss.codeplex.com/<br />http://www.lookout.net/2010/12/20/list-of-characters-for-testing-unicode-transformations-and-best-fit-mapping-to-dangerous-ascii/<br />-<br />Facebook Redirect Link – New Bypass Method – “:/” after the domain name<br />http://soroush.secproject.com/blog/2010/12/facebook-redirect-link-new-bypass-method-%E2%80%93-%E2%80%9C%E2%80%9D-after-the-domain-name/<br />-<br />;)Soroush Dalilinoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43674543254478357282011-01-03T17:32:35.716-08:002011-01-03T17:32:35.716-08:00Interesting one if it's not too late:
http://b...Interesting one if it's not too late:<br />http://briandefrancesco.com/?p=40Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66144786422659490352010-12-31T05:29:44.895-08:002010-12-31T05:29:44.895-08:00SQL injection filter evasion by Reiners:
http://w...SQL injection filter evasion by Reiners:<br /><br />http://websec.files.wordpress.com/2010/11/sqli2.pdf (slides)<br /><br />https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ (cheatsheet)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20749802514877823272010-12-29T01:17:01.606-08:002010-12-29T01:17:01.606-08:00While this is very specific to the Django web fram...While this is very specific to the Django web framework. It's essentially blind injection but at the ORM level.<br /><br />http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/Adam Baldwinhttps://www.blogger.com/profile/10461188860745846521noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6846000671863023272010-12-28T02:26:00.815-08:002010-12-28T02:26:00.815-08:00The IIS 5.1 one using alternate data streams is a ...The IIS 5.1 one using alternate data streams is a very, very old attack, but a new form. Appending :$DATA to filenames has been known for at least a decade.Andrew van der Stockhttps://www.blogger.com/profile/11645325811466424904noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52408513132127764212010-12-27T15:38:50.907-08:002010-12-27T15:38:50.907-08:00@albino: thank you, #65
@lava: thanks, but this i...@albino: thank you, #65<br /><br />@lava: thanks, but this is too similar to earlier work:<br />http://jeremiahgrossman.blogspot.com/2008/04/csrf-ddos-skeleton-in-closet.htmlJeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-27165580339035868572010-12-20T08:54:53.692-08:002010-12-20T08:54:53.692-08:00Two more suggestions:
1) Getting the cookies usin...Two more suggestions:<br /><br />1) Getting the cookies using a server-side redirect and JAVA by LeverOne:<br />http://sla.ckers.org/forum/read.php?2,35422<br /><br />2) d0z.me by Ben Schmidt: http://spareclockcycles.org/2010/12/19/d0z-me-the-evil-url-shortener/lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54819112905506834552010-12-18T15:31:42.378-08:002010-12-18T15:31:42.378-08:00Would my phishing variant qualify?
http://skelet...Would my phishing variant qualify? <br /><br />http://skeletonscribe.blogspot.com/2010/12/chronofeit-phishing.htmlJames Kettlehttps://www.blogger.com/profile/03270155456684307605noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77033935004349820682010-12-17T11:28:52.915-08:002010-12-17T11:28:52.915-08:00Awesome, thanks :)Awesome, thanks :)lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13999560352313573032010-12-17T09:52:17.265-08:002010-12-17T09:52:17.265-08:00@Collin: Thanks! Got you down at #62
@Lava: Added...@Collin: Thanks! Got you down at #62<br /><br />@Lava: Added 2 of your three. Excellent work.<br /><br /><br />Plus I added two more.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-3982484848616088372010-12-17T01:48:40.811-08:002010-12-17T01:48:40.811-08:00Some more for your consideration:
http://blog.and...Some more for your consideration:<br /><br />http://blog.andlabs.org/2010/12/cracking-hashes-in-javascript-cloud.html<br /><br />http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html<br /><br />http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.htmllavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85169558670938596062010-12-17T01:46:38.235-08:002010-12-17T01:46:38.235-08:00Some more for your consideration:
http://blog.and...Some more for your consideration:<br /><br />http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html<br /><br />http://blog.andlabs.org/2010/12/cracking-hashes-in-javascript-cloud.html<br /><br />http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.htmllavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-26997880864268630902010-12-16T14:54:36.324-08:002010-12-16T14:54:36.324-08:00Poisoning proxy caches using Java/Flash/Web Socket...Poisoning proxy caches using Java/Flash/Web Sockets: <br /><br />http://www.adambarth.com/experimental/websocket.pdf<br />http://news.cnet.com/8301-30685_3-20025272-264.htmlCollin Jacksonhttps://www.blogger.com/profile/15842512158639473630noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23804833220263523472010-12-16T08:33:57.557-08:002010-12-16T08:33:57.557-08:00@Jer Thanks.@Jer Thanks.Aditya K Soodhttps://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51636106734266709532010-12-16T08:21:22.481-08:002010-12-16T08:21:22.481-08:00@Soroush: thank you, added #53.
@SecNiche: thanks...@Soroush: thank you, added #53.<br /><br />@SecNiche: thanks for the contribution. I added 3 of the 6 you commented, #54 - #56. The others, while interesting articles, did not appear to be new techniques. More using older techniques, while still valid, to attack more modern systems. Good luck!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43745501075057987252010-12-15T14:22:32.664-08:002010-12-15T14:22:32.664-08:00Open Redirect Wreck Off - Differential Redirection...Open Redirect Wreck Off - Differential Redirection Attacks<br /><br />http://magazine.hitb.org/issues/HITB-Ezine-Issue-002.pdfAditya K Soodhttps://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-35031965558032127952010-12-15T14:21:47.724-08:002010-12-15T14:21:47.724-08:00Pwning Data-centers by hacking support system suit...Pwning Data-centers by hacking support system suites.<br /><br />http://magazine.hitb.org/issues/HITB-Ezine-Issue-004.pdfAditya K Soodhttps://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-7374392517383315352010-12-15T14:12:12.207-08:002010-12-15T14:12:12.207-08:00Google Chrome Authentication Dialog Spoofing throu...Google Chrome Authentication Dialog Spoofing through Realm Manipulation<br /><br />http://zeroknock.blogspot.com/2010/08/google-chrome-http-auth-dialog-through.htmlAditya K Soodhttps://www.blogger.com/profile/10592122467317696329noreply@blogger.com