gmane.comp.security.websecurity

Re: Need some help with one XSS Vector

Jeff Williams — 2012-05-22T20:58:01

What happens when you send </script>. Why doesn't it work?  Is escaped or validated?  Can you bypass validation?

--Jeff



On May 21, 2012, at 1:49 PM, Spam Catcher <rrspam< at >hotmail.co.uk> wrote:


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

Spam Catcher — 2012-05-21T17:49:13

You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp

Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript.

-----Original Message-----

From: Aaron Devaney
Sent: 21 May 2012 16:14:12 GMT
To: websecurity< at >lists.webappsec.org
Subject: Re: [WEB SECURITY] Need some help with one XSS Vector

Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?

So in your example you could try        \' + document.cookie;//

Which then might give the following

<script type="text/javascript">alert('No Information is found for the
card 1\\'+ document.cookie);//');</script>

I didn't test it but it looks like it might work depending on how the
filter is working.

Regards
Aaron

-----Original Message-----
From: websecurity-bounces< at >lists.webappsec.org
[mailto:websecurity-bounces< at >lists.webappsec.org] On Behalf Of
websecurity-request< at >lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity< at >lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6

Send websecurity mailing list submissions to
        websecurity< at >lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

or, via email, send a message with subject or body 'help' to
        websecurity-request< at >lists.webappsec.org

You can reach the person managing the list at
        websecurity-owner< at >lists.webappsec.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of websecurity digest..."

Today's Topics:

   1.  Need some help with one XSS Vector (Chintan Dave)

----------------------------------------------------------------------

Message: 1
Date: Fri, 18 May 2012 12:04:59 +0530
From: Chintan Dave <davechintan< at >gmail.com>
To: websecurity< at >webappsec.org
Subject: [WEB SECURITY] Need some help with one XSS Vector
Message-ID:

<CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg< at >mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi,

I am running into one issue with XSS and was interested if there is any
way I can bypass it.
Following the response code where user supplied input is embedded. Input
is taken via a text box.

*<script type="text/javascript">alert('No Information is found for the
card
1');</script>*

User supplied input *1* is highlighted in red. I am trying to break out
of this alert box, however when a single quote is given as input, the
output is escaped using a backslash. It is as follows:
*
Input:*     *1'**
Output:** <script type="text/javascript">alert('No Information is found
for the card 1\'');</script>*

I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the *single quote, <!-- and </script>* are
working.
Using a

I tried the following vector to escape out:

*Input:*     *1`);alert(1);(`'**);**
Output:** <script type="text/javascript">alert('No Information is found
for the card 1`);alert(1);(`');</script>

*Appreciate* *your help and support in advance.
*
*Thanks,*
*
--
Regards,
Chintan Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/at
tachments/20120518/99cea031/attachment-0001.html>

------------------------------

_______________________________________________
websecurity mailing list
websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

End of websecurity Digest, Vol 17, Issue 6
******************************************

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

Aaron Devaney — 2012-05-21T08:26:21

Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?

So in your example you could try        \' + document.cookie;//

Which then might give the following

<script type="text/javascript">alert('No Information is found for the
card 1\\'+ document.cookie);//');</script>

I didn't test it but it looks like it might work depending on how the
filter is working.

Regards
Aaron

-----Original Message-----
From: websecurity-bounces< at >lists.webappsec.org
[mailto:websecurity-bounces< at >lists.webappsec.org] On Behalf Of
websecurity-request< at >lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity< at >lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6

Send websecurity mailing list submissions to
websecurity< at >lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

or, via email, send a message with subject or body 'help' to
websecurity-request< at >lists.webappsec.org

You can reach the person managing the list at
websecurity-owner< at >lists.webappsec.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of websecurity digest..."


Today's Topics:

   1.  Need some help with one XSS Vector (Chintan Dave)


----------------------------------------------------------------------

Message: 1
Date: Fri, 18 May 2012 12:04:59 +0530
From: Chintan Dave <davechintan< at >gmail.com>
To: websecurity< at >webappsec.org
Subject: [WEB SECURITY] Need some help with one XSS Vector
Message-ID:

<CAL9x60qFTJPzh7g1CehONBDm3oJWYrQ7vmzpTS5BBfcwMB_NHg< at >mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi,

I am running into one issue with XSS and was interested if there is any
way I can bypass it.
Following the response code where user supplied input is embedded. Input
is taken via a text box.

*<script type="text/javascript">alert('No Information is found for the
card
1');</script>*

User supplied input *1* is highlighted in red. I am trying to break out
of this alert box, however when a single quote is given as input, the
output is escaped using a backslash. It is as follows:
*
Input:*     *1'**
Output:** <script type="text/javascript">alert('No Information is found
for the card 1\'');</script>*

I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the *single quote, <!-- and </script>* are
working.
Using a

I tried the following vector to escape out:

*Input:*     *1`);alert(1);(`'**);**
Output:** <script type="text/javascript">alert('No Information is found
for the card 1`);alert(1);(`');</script>

*Appreciate* *your help and support in advance.
*
*Thanks,*
*
--
Regards,
Chintan Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/at
tachments/20120518/99cea031/attachment-0001.html>

------------------------------

_______________________________________________
websecurity mailing list
websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org


End of websecurity Digest, Vol 17, Issue 6
******************************************

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

MaXe — 2012-05-20T04:42:51

No problem, it's a common misunderstanding (for developers) to only encode
quotes (") and apostrophes (') but not backslashes (\) :-)

But the good thing is, at least they're encoding quotes and hopefully
apostrophes too (where it's appropriate), compared to like 5 years ago when
almost no one was encoding anything.


Best regards,
MaXe

On Sat, 19 May 2012 13:12:28 +0530, Chintan Dave <davechintan< at >gmail.com>
wrote:
<davechintan< at >gmail.com>
any
Input
out
found
found

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

Chintan Dave — 2012-05-19T07:42:28

Yes actually, we were able to bypass using the same technique.

We just injected an extra slash to nullify escaping & ended the payload with comment

Appreciate all your help.

Sorry for brevity, sent from my iPod,

Thanks,
Chintan

On 19-May-2012, at 12:37 PM, MaXe <owasp< at >intern0t.net> wrote:


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

MaXe — 2012-05-19T07:07:52

If backslashes aren't escaped properly (with a backslash), try this:
\');alert(/TestString/.source);//

This should result in:
<script type="text/javascript">alert('No Information is found for the card
\\');alert(/TestString/.source);//');</script>

If there's two backslashes, the first one will nullify (escape) the second
one, meaning the apostrophe won't be escaped.


Best regards,
MaXe


On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan< at >gmail.com>
wrote:
way
is
card
of
output
for
working.
for

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

[Announcement] ClubHack Magazine Issue 28,May 2012 Released

Abhijeet Patil — 2012-05-21T06:13:43

Dear All,

Here we are with the 28th issue of ClubHack Magazine.

This issue covers following articles:-

0x00 Tech Gyan - Steganography over covert channels
0x01 Tool Gyan - Kautilya
0x02 Mom's Guide - HTTPS (Hyper Text Transfer Protocol Secure)
0x03 Legal Gyan - Section 66C - Punishment for identity theft
0x04 Code Gyan - Don’t Get Injected – Fix Your Code
0x05 Poster - "Look both side before crossing one way track"

Check http://chmag.in/ for articles.
PDF version can be download from:- http://chmag.in/issue/may2012.pdf

Send us your feedback, articles at info< at >chmag.in

Regards,
Team CHMag
http://chmag.in/
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Need some help with one XSS Vector

Chintan Dave — 2012-05-18T06:34:59

Hi,

I am running into one issue with XSS and was interested if there is any way
I can bypass it.
Following the response code where user supplied input is embedded. Input is
taken via a text box.

*<script type="text/javascript">alert('No Information is found for the card
1');</script>*

User supplied input *1* is highlighted in red. I am trying to break out of
this alert box, however when a single quote is given as input, the output
is escaped using a backslash. It is as follows:
*
Input:*     *1'**
Output:** <script type="text/javascript">alert('No Information is found for
the card 1\'');</script>*

I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the *single quote, <!-- and </script>* are working.
Using a

I tried the following vector to escape out:

*Input:*     *1`);alert(1);(`'**);**
Output:** <script type="text/javascript">alert('No Information is found for
the card 1`);alert(1);(`');</script>

*Appreciate* *your help and support in advance.
*
*Thanks,*
*

New Open Source Web Application VulnerabilityScanner Available

Dermot Blair — 2012-05-15T21:37:48

Hi All,
There is a new web application vulnerability scanner available. It is called WebVulScan and it is open source. Here is the link for it if you want to check it out: http://code.google.com/p/webvulscan/
Regards,
Dermot Blair       _______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Classic examples for secure webapps

Nick Owen — 2012-05-15T16:13:39

I'm a fan of Plone:  http://plone.org/products/plone/security/overview

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Classic examples for secure webapps

Sebastian Schinzel — 2012-05-15T10:50:52

Dear all,

Two examples come to my mind when I think about classic examples of
secure software development: OpenSSH and Qmail. Both

a) were designed with security in mind
b) were heavily audited (--> open source)
c) are widely used in security sensitive environments for long times (> 10 years) 
d) had relatively few known security bugs despite b), and c).

My question is:
Are there any web applications that can be seen as a classic example of
secure software development on the web (similar to OpenSSH and  Qmail
in the network service area)?

Thanks,
Sebastian

---
Sebastian Schinzel

Universität Erlangen-Nürnberg
Lehrstuhl für Informatik 1
IT-Sicherheitsinfrastrukturen

Web: http://www1.cs.fau.de/
Twitter:http://twitter.com/seecurity








_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Breakpoint 2012 Call For Papers

2012-05-10T11:48:16

                 . ______________________________________
                 ._\\.         Breakpoint 2012           (___.
                 :          Intercontinental Rialto          :
                 :           Melbourne,  Australia           :
                 :             October 17th-18th             :
                 :__                                    . ___:
                    )____________________________________\\
                                                            .
                          www.ruxconbreakpoint.com
                          www.twitter.com/ruxconbpx



Introduction
------------

 Breakpoint is a new security conference to be held on the 17th and 18th of
 October, in Melbourne Australia. The event will show case the work of expert
 security researchers from around the world on a wide range of topics.
 Breakpoint is organised by the Ruxcon conference team and will offer a
 specialised and more professional security conference to complement and lead
 into the larger and more casual Ruxcon weekend conference. Breakpoint will
 cater towards security researchers and industry professionals alike, with a
 focus on cutting edge security research.

 With just one day separating both conferences, Breakpoint presents a great
 opportunity for our selected speakers to receive a complimentary trip to
 Australia and experience both the Breakpoint and Ruxcon conferences, not to
 mention the great weather, awesome parties, and friendly people.

 Melbourne is Australia's cultural capital, with Victorian-era architecture,
 extensive shopping, museums, galleries, theatres, and large parks and gardens.
 It is a city of many subcultures, personalities and styles, and it is these
 layers that make it so interesting. Melbourne has a vibrant arts and music
 scene, eccentric cafes, cobbled lane-ways, quirky shops, intimate bars and
 restaurants, and is known as one of the world's great streetart capitals.


Important Dates
---------------

 * May     10        Call For Presentations Open
 * July    30        Call For Presentations Close
 * October 15-16     BreakPoint Training
 * October 17-18     BreakPoint Conference
 * October 20-21     Ruxcon Conference


Topic Scope
-----------

Topics of interest include, but are not limited to:


 o Mobile Device Security
 o Exploitation Techniques
 o Reverse Engineering
 o Vulnerability Discovery
 o Rootkit Development
 o Malware Analysis
 o Code Analysis
 o Virtualization, Hypervisor Security
 o Cloud Security
 o Embedded Device Security
 o Hardware Security
 o Telecommunications Security
 o Wireless Network Security
 o Web Application Security
 o Law Enforcement Activities
 o Forensics
 o Threat Intelligence
 o You get the idea


Submission Guidelines
---------------------

 In order for us to process your submission we will require the following
 information:


 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented
    before Breakpoint

 * Preference will be given to presentations that contain original research
   that will be first presented at Breakpoint.
 * As a general guideline, BreakPoint presentations are between
   45 and 60 minutes, including question time.


 If you have any enquiries about submissions, or would like to make a
 submission, please send an email to bpx< at >ruxconbreakpoint.com


Speaker Benefits
----------------

 Speakers at BreakPoint will be entitled to the following benefits:                                                    

 - A round trip economy airfare to Melbourne (total cost limit applies)
 - Three nights accommodation at the Intercontinental Rialto
 - Complementary registration for Breakpoint and Ruxcon conferences
 - Invitation to all BreakPoint and Ruxcon parties
 - Unlock 'Presented on world's smallest continent' achievement

 * All speaker benefits apply to a single speaker per submission.


Contact
-------

 If you have any questions or queries, contact us at:

 * Email:            bpx< at >ruxconbreakpoint.com
 * Twitter           < at >ruxconbpx
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Bypassing web antiviruses and attack via tablescorruption in MySQL

MustLive — 2012-05-05T20:50:36

Hello participants of Mailing List.

As I've wrote last month in the list, I've presented full translation of my
articles (in a form of new complex article), which I told
you briefly in my post Bypassing of security mechanisms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html).
And now I will tell you about other my articles, written in September 2011
and in April 2012. Request full translation of any of them if needed.

I'll tell you briefly about my two articles concerning bypassing web
antiviruses and attack via tables corruption in MySQL. Which I wrote in
September and in April accordingly. These topics should be interesting for
you (especially for those, who haven't read them before).

1. Effective use of cloaking against web antiviruses
http://websecurity.com.ua/5359/

In this article I told more about the cloaking - the way how web antiviruses
became fighting with it and other ways of bypassing them with cloaking. This
is third article in my series about bypassing of web antiviruses (after
2010's "Bypass of systems for searching viruses at web sites" and 2011's
"Bypassing of behavioral analysis or malware strikes back").

After my 2010's article, where I wrote about such simple and well known way
of hiding from web antiviruses bots as cloaking, which similarly used from
90s for hiding from search engines bots, in August 2011 I've found the first
change. If I've made my own web antivirus immune to cloaking already in 2008
(from the first version), then from other vendors, such as search engines,
we had need to wait. And in the end of August 2011 I've found Google's bot,
who changed its UA. But due to other mistakes, it couldn't hide well his
true face :-), so it was possible for malware to use cloaking for hiding
from the bot. So it's needed to fight with cloaking more effectively.

2. Attack via tables corruption in MySQL
http://websecurity.com.ua/5796/

In this article I told about attacks on web applications via tables
corruption in MySQL. This attack I've described in 2009 (in my advisory
about WordPress) and later in 2011 (in my advisories concerning IPB), but
now I've wrote detailed article about it.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Submit to WOOT: USENIX Workshop on OffensiveTechnologies

Elie Bursztein — 2012-05-04T05:25:50

Hi everyone,

WOOT is the USENIX Workshop on Offensive Technologies and this year
will focus on the future of web exploitation and HTTPS security.

One of the specificity of WOOT is that it is meant to be a a bridge
between the industry and the academic world which always give rise to
interesting discussion :)

So if you just gave a cool talk at BSide or got something interesting
planned for Black Hat or DEFCON, it is exactly the type of work we'd
like to see submitted to WOOT.

Don't be shy, it will be a very fun workshop ! The WOOT call of paper
is available here: http://ow.ly/aH1X0

--
Elie
http://elie.im - Twitter: < at >elie

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: CRLF Injection - HTTP Response Splitting

Mon — 2012-05-03T08:51:43

Hi Tanuj,

Thanks for your reply. I tried with a larger string
(%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a,
%0d%0a%0d%0a%0d%0a%0d%0a%20%0d%0a%0d%0a%0d%0a%0d%0a, etc.)

The response doesn't split and %0d%0a appear as printable characters in the
output.

Location:
https://domain.org/path/res.asp?https=redirect&key1=value1&key2=value2&key3=value3%0d%0a%0d%0a%0d%0a%0d%0a%20%0d%0a%0d%0a%0d%0a%0d%0aContent-Length:%200

%0d%0a encoding for CRLF doesnt seem to work, hence, I was trying different
encodings.

Br,
--
m0n


On Wed, May 2, 2012 at 5:01 PM, Tanuj Pathak <Tanuj.Pathak< at >mphasis.com>wrote:

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Abusing Password Managers with XSS

mastah yeti — 2012-04-30T16:30:35

New post on abusing password managers with Cross-Site Scripting.
http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

nullcon Delhi 2012 Call for Paper/Call for Event

nullcon — 2012-04-29T15:32:15

Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides opportunities to innovative companies to showcase their
latest and new technology/products to the nullcon audience. The main aim
behind Prototype is to enable and boost companies driving innovation in
security domain and provide them a perfect platform to boast about their new
technology and at the same time grab the attention of potential investors
and business partners at minimal cost. For more details about the event, its
costing and how your organization can participate kindly contact:
info_at_nullcon.net

Categories:
—————

The talk time duration includes time for questions and answers (5-10
minutes).

1. Research Category (40 mins - 1 hr) is a deep knowledge technical track
that includes
new research, tools, vulnerabilities, zero days or exploits.

2. Technical Category (30 mins - 1 hr) comprises of known security issues,
case
studies, twist to an existing research, tool, vulnerability, exploit or
research-in-progress. Although this track is fairly technical, it covers
known techniques and analysis and is specially created for security
professionals who are not too much into new research, are auditors,
management
professionals and newbies.

3. Desi Jugaad (1 hr) is our signature research category talk and includes
any local
Indian/Asian hacks.

Submission Topics:
———————————————

1. One of the topics of interest to us is Desi Jugaad(Local Indian/Asian
Hack) and has a separate track of its own. Submissions can be any kind of
local hacks that you have worked on (hints: electronic/mechanical meters,
automobile hacking, Hardware, mobile phones, lock-picking, bypassing
procedures and processes, etc. Be creative!)

2. The topics pertaining to security and hacking in the following
domains(but not limited to):
- Hardware Hacking(ex: RFID, Magnetic Strips, Card Readers, Mobile Devices,
Electronic Devices)
- Tools/exploits/Zero-days (noncommercial)
- Programming/Software Development security and weaknesses
- Network vulnerabilities.
- Information Warfare, cyber espionage, cyber crime, cyber laws
- Malware, Botnets
- Web attacks and application hacking
- New attack vectors
- Mobile malware, vulnerabilities, exploits, VOIP and Telecom
- Virtualization security, hacking VMs, breaking out of VMS etc
- Cloud security, threats and exploitation
- Critical Infrastructure
- Satellite hacking
- Wireless hacking
- Forensics

Submission Format:
———————————————

Email the Paper to: cfp_at_nullcon.net
Subject should be: CFP Delhi 2012 <Paper Title>
Email Body:
1. Name
2. Handle
3. Track (& Time required in case of General/Business track)
4. Paper Title
5. Country(and City) of residence
6. Organization and Designation
7. Contact no.
8. Have you presented or submitted this paper at any other conference(s) or
magazine(s)?
Yes, No. If yes, where? and how this submission is different from the
previous ones. Note that new research talks already given elsewhere or are
due to be given elsewhere prior to nullcon will be considered as Technical
category
talks unless they consist of cutting edge and ground breaking
technology, which is at the judgment of the review committee.
9. Are you releasing an open source tool?
Yes/No. (If yes, please include the source code for review)
10. Are you releasing an exploit?
Yes/No. (If yes, please include the source and vulnerability details for
review)
11. Are you releasing a new vulnerability/Zero-day?
Yes/No. (If yes, please send us the details, including reproduction
procedure, for review)
12. Why do you think your paper is different/innovative (for all tracks) and
how does it qualify as new work/research(for Research track only)?
13. Are there any live demonstrations (These earn you good points during
review)?
Yes/No. (If Yes, how many? Also please explain each demo)
14. Brief Profile ( <= 500 Words)
15. Paper Abstract - Please provide detailed working or your research/work.
The more details you provide the better it is for the reviewers. Please keep
the abstract to the point. Please do not try to hide the technical details
or say “I can't disclose it till bla bla” as it does not help the reviewers
in any way and may give your paper a low score because of insufficient
information available in the abstract.
16. Your high resolution photo (attached)

NOTE:
—————
Only the original authors should submit their research and any submission
from a third party will be rejected. The Abstract should clearly mention the
techniques and hacks in detail and merely mentioning that it works will not
help in understanding the research
to its full extent. nullcon is open knowledge/research sharing platform and
hence product/company marketing and pitches will be rejected. We request you
not to submit any product specific talk. For product specific talks kindly
look at Prototype sub-event.

Important Dates:
———————————————

CFP Opens: 25th April 2012
1st round of Speaker list Online: 10th June 2012
CFP Closing Date: 30th June 2012
Final speakers List online: 10th July 2012
Conference Dates: 26-29 September 2012

Speaker Benefits:
—————————————

For Research (and Desi Jugaad) Category

1. Complimentary Accommodation for 3 nights.
2. Travel Reimbursement (Either actuals or the below mentioned amounts,
whichever is less)
- North/South America to Delhi (USD $800)
- Africa/Europe/Australia to Delhi (USD $600)
- Asia to Delhi (USD $500)
- Anywhere in India to Delhi (INR Rs.6000)
3. Complimentary VIP conference pass.
4. Invitation to Mehfil-E-Mausiqi (null networking party).

For Technical Category

1. Complimentary VIP conference pass.
2. Invitation to Mehfil-E-Mausiqi (null networking party)

* Only one speaker will be eligible for the benefits in case there are two
or more speakers for a talk.

** By submitting a paper and agreeing to talk at nullcon the speaker gives
null the right to post, publish, re-distribute online and offline, soft
and/or hard copies of his/her presentation material including slides, source
code, detailed paper and the recorded video of the speaker and presentation.

nullcon Call For Events (CFE)
--------------------------------------------------
Want to conduct a sub-event at nullcon? Want to show off your special
skills?
Be creative.
Anything innovative is welcome.

If your Event gets selected, a maximum of 2 complimentary VIP passes will be
provided to you depending on your event.
Submit your proposal to cfp_at_nullcon.net
Email Subject: nullcon Delhi 2012 Event <Your_event_name>
Email Body:
1. Team members names, emails, phone
2. Organization
3. City, country
4. Event name
5. Time duration (1 hr, 3 hrs, whole day?)
6. Event details (including step by step information on how will you
conduct the event)
7. Why do you think the event is innovative and should be organized at
nullcon?
8. Have you ever conducted a similar event before this? If yes, please
provide all the details including the response.

Hints:
- Want to teach us how to assemble/disassemble a biometric device using
home made stuff or how to make an autobot out of a radio/microwave/car etc ,
submit a proposal
- Have a rock band? want to play at nullcon? submit your proposal.
- A CTF or a game
- A corporate sub-event
- Anything that is interesting.

Regards
null Team

--
null - Spreading the right knowledge
null Mailing list charter:
http://null.co.in/section/about/null_list_charter/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

OWASP 2012 Online Competition

Ivan Buetler — 2012-04-29T19:15:30

Dear security experts,

Hacking-Lab is proud to announce the upcoming online OWASP 2012 hands-on
competition about web security issues. The competition will start next
Tuesday (May 1 2012) and ends June 17th, 2012. It's all about web
security, including the Greece Hackademics challenges plus some advanced
Hacking-Lab challenges. The winner will gain a free ticket to either the
OWASP AppSec EU conference in Athens or AppSec US. 

Winner Selection Criteria
a) how many points you receive (complete)
b) how complete your solutions are (quality)
c) how fast you are completing the challenges (time)
d) creativity, unseen solutions, geek factor

The OWASP GEC (Global Education Committee) and Hacking-Lab have the
right to select the winner in case of identical a) to d) levels. OWASP
teachers, Hacking-Lab volunteers, Compass Security Switzerland staff are
not allowed to play. Sorry for that, folks.

Checkout the upcoming "OWASP 2012 Online Competition" here
* https://www.hacking-lab.com/events/

Train your Brain - Explore Hacking-Lab with this free online security
competition. 

Kind Regards
Ivan Buetler, E1

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Oracle Padding and Exploitation

Daniel "unicornFurnace" Crowley — 2012-04-28T06:20:53

First off, my anal retentive side simply *MUST* correct you: It's
"padding oracle".

An "oracle" is a system which provides answers to specific types of
questions. In cryptography, there is a concept of "padding", extra
data appended to the unencrypted message to satisfy the length
requirements of a block cipher, which requires that data it is
encrypting is to be of a certain length.

A padding oracle normally only will reveal if an encrypted message,
when decrypted, is properly padded.

Vaudenay presented at EUROCRYPT that with PKCS#5 padding, a padding
oracle can actually be used as a decryption oracle, given the ability
to make lots of submissions to the padding oracle. This allows us to
decrypt arbitrary data using a padding oracle.

Thai Duong and Juliano Rizzo applied this theoretical attack in a
practical way: against Web applications. They also presented a way of
using padding oracles as encryption oracles, allowing encryption of
arbitrary data.

The ASP.NET framework not only had padding oracle flaws, it used
PKCS#5 padding, reused keys between different parts of the
application, and provided a mechanism for disclosing file contents for
any file name you could encrypt.

While PadBuster is a generic tool for exploiting padding oracle flaws
where PKCS#5 is used, the most well-known example is in old versions
of the ASP.NET framework. Many people are under the mistaken
impression that this flaw is exclusive to ASP.NET, when it is not.

Now that I've satisfied the pedantic side of me, here's the
information you've actually asked for:

http://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html

This blog post explains the usage of padbuster.pl against a vulnerable
installation of ASP.NET. It's been very helpful for me and for other
people I've spoken with in the past. Feel free to contact me directly
with questions about its usage.

Cheers,

CRLF Injection - HTTP Response Splitting

Mon — 2012-04-30T12:32:00

Hi all,

May be this a very stupid question, however, after many unsuccessful
attempts, I would appreciate your assistance.

In testing a web application, I found that on sending the following request
header:

GET /path/path-contd/resource.asp?key1=value1&key2=value2&key3=value3
HTTP/1.1
....


I got the the following response header:

HTTP/1.1 302 Found
Date: xxxx
Server: xxxx
Location: https://
<full-domain>/path/path-contd/resource.asp?https=redirect&key1=value1&key2=value2&key3=value3
....

I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response
Splitting, however, the input was always output to the response header as
text and the injected CRLF (%0d%0a) was never executed. I tried:

1. double url encoding: %250d%250a
2. encoding the attack vector to unicode 16-bit
3. injecting %0d%0a (and double encoded value) in value1 instead
4. injecting %0d%0a (and double encoded value) in value2 instead

Am I missing something trivial or any other attack vector to bypass CRLF
Injection protection/filter? Is this the right approach? Or should I safely
assume that the application is performing proper URL sanitization?

Look forward to your replies. My apologies again in case my question is
naive.

Br,
m0n
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

CIntruder v0.2 released

psy — 2012-04-26T23:18:29

Hi list,

There is released a new version of *CIntruder* (v0.2) - the captcha intruder

Take a look to the CIntruder website to see new features implemented:

http://cintruder.sf.net

You can download original code directly from here:

http://sourceforge.net/projects/cintruder/files/cintruder_v0.2.0.tar.gz/download

Or update your copy from the CIntruder repository:

http://sourceforge.net/p/cintruder/code/

Now there is modularity on OCR process, you can handle CIntruder with
another tool, to perform automatic test on forms that have a captcha,
and interact with an online distributed dictionary.

http://cintruder.sf.net/cinet

I hope that you enjoy it!! :D

psy.

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org