So I just come back from my honeymoon journey (Greece, Turkey and Croatia) right in time to find that Sirdarckcat and Kuza55 teamed together to throw a friendly defacement at our beloved RSnake!

The kids miserably failed, nevertheless RSnake did not like it a bit.
Their payload was playful rather than venomous in my opinion, but you can judge by yourself:

0wning RSnake For Fun and PageRank

So, you’re sitting on the sla.ckers.org irc channel one day and someone is poking around with one of RSnake’s tools, and finds that its not working, or at least that’s what it seems like untill they realise that its not just broken, its broken in a fun XSS way :) - what do you do? Do you: a) Urge the person to report the problem to the vendor (RSnake), and get mad props for being awesome? b) Scream about how the vendor is a security “expert” and needs to “secure their shit!!!1111″? c) 0wn the vendor for Fun and PageRank Well, to me, the answer seemed fairly obvious. Since the “Evil Advertising Empire” (Google), cue ominous music….now, had done a little dance and increased the PageRank of our blogs, we had gotten a taste of the power which we could amass, muahahaha, and we wanted more! Or at least I did….. So anyway, Hey RSnake :) Thanks for the free advertising space. Anyway, credit goes to: sirdarckcat for not only being generally awesome, but finding the actual exploit. thornmaker for (inadvertently) providing us with a method to get our payload through NoScript (Javascript variable setter’s and window.name FTW!), so umm, hey thornmaker :) Gareth Heyes for doing that awesome research on selective payloads using CSS, which where implemened in the exploit. kuza55 for not really doing anything, but being in the right place at the right time but being able to get some free Googlejuice from things anyway :p Oh, and, of course: XSS! We now return you to your regularly unscheduled posting ;) - kuza55 & sirdarckcat P.S. Thanks for directing carja.ckers.org to 127.0.0.1 :) P.S.2. Sorry .mario, NoScript is the new attack playground :P, we’ll be back to php-ids ASAP.

At any rate, from my NoScript standpoint, nice setter+name bypass combo — just you send me a mail next time, thanks ;)
Latest release already defeats it, but for those who disabled automatic updates, it’s time to get it

5 Responses to “Youngsters :)”

  1. #1 sirdarckcat says:

    Hi giorgio

    sorry for keeping it private, but we wanted it to be a “zero day” untill we could do the joke to rsnake, anyway this was sort of a bad idea :(

    the window.name thing was a little difficult to do because of the + and / chars at base64, but, well.. it was fun :D, we will keep you up to date if we find anything else.

    Greetz!!

  2. #2 Rosario says:

    Welcome back, Giorgio

  3. #3 vaspers the grate aka steven e streight says:

    very ha ha intersecting. will twitter this story for the id kids to C.

    http://twitter.com/vaspers

    you might like my music it’s Str8 Sounds

    back to vpn mode

  4. #4 drongo says:

    Hi!
    Thanks again for NoScript ;-)
    Lately version you did add blocking ability of the ” IFRAME”
    When it block IFRAME- on the web site remain a box , that very annoying and because of that i can’t to click on some bottoms on the site . Can you add the option of removing these blocks too ?
    Moreover i suggest to make special blocking/aproving ability for iframes like in main NoScript, when i choose to enable specific IFRAME- it will remember my choice .
    Thank you ;)

  5. #5 Brian H says:

    What? No salacious honeymoon details? Why mention it at all? C’mon, give! Pictures and stories of heroic performance! Aren’t you Italian?

Bad Behavior has blocked 35860 access attempts in the last 7 days.