I <3 Bots!
Subscribe to the RSS feed

Keyword - XSS

Entries feed - Comments feed

Tuesday, December 9 2008

Every-day's CSRF: Sorry, I turned off your christmas tree lights

By Romain on Tuesday, December 9 2008, 14:05 UTC - Vulnerabilities

Today, a friend of mine was really proud to show me the Home Automation installation he just bought. Well, since he lives in France and I am in DC, he showed me the web interface that was able to control the lights etc. in his house. As he wanted to test this domotic system, he only plugged his Christmas tree lights on the system.

Well, maybe I'm only seeing bad stuff around me, but... Déformation professionnelle we'll say! It was so easy to make it blinking with a simple script that I showed it to him. So well, every 5 seconds, it would change the state.

Anyway, this CSRF is not a big deal for him since it's only the Christmas tree lights, it's only a temporary installation and well, it's fun. But after a simple google search, I found another site like my friend's. The URL that Google return is:

http://XXX.XXX.XXX.XXX:88/control_exe.htm;3;1;ON

Which is basically turning on some device... :)

Also, not only this application has tons of CSRF, but also a nice stored XSS which let you do whatever you want with it! And btw, since the Google Robot reported this, it means that every time that it crawls the website (or at least, reaches that particular URL), it will set the device ON :)

Web security enters your house, f34rs!

one comment

Tuesday, April 8 2008

MySQL table/field names

By Romain on Tuesday, April 8 2008, 21:45 UTC - Stuffs

Sometimes I really don't understand developers.

Why the heck a table name such as a<script>foo(42)`cool could ever be allowed? What's the point of that? I know I am almost clueless with SQL but... what's the reason here? If someone has some idea, I would love to hear them!

no comment

Wednesday, June 20 2007

PHP Source Code Security Scanners: Pixy

By Romain on Wednesday, June 20 2007, 16:24 UTC - Tools

I already talked about source code scanners for PHP, and even run a simple test between SWAAT and PHP-SAT. Today, a new toy has been released: Pixy, so I decided to make it pass the test. The first test is really basic, having a quite small php source code with a bunch of possible faults: tests.php

So, you find the output of the tool here: out.pixy.result.txt

I first have to say that it's normal that the tool doesn't catch the header injection stuff, os command injection etc. it doesn't claim to do that. Pixy claims to find the Cross-Site Scripting and the SQL Injection. On that point, I would say pretty good job guy!
The tool catch all the possible Cross-Site Scripting in the echo functions, doesn't warn for the persistent XSS (line 34, the bad html injection would be inserted into the SQL database, if there is no output validation, there are Persistent XSS).

Even better on the SQL Injection where it found every thing I tagged as true-positive.

To conclude, I will definitely keep an eye on this tool which looks promising to me, I will also continue working on the PHP-SAT security configuration in order to make a solid vulnerability disclosure system.

no comment

Wednesday, May 30 2007

Back to work!

By Romain on Wednesday, May 30 2007, 09:26 UTC - Tech

And I've just received this book this morning:

no comment

I <3 Bots!