Archive for May, 2008|Monthly archive page
Regenerative Tokens
Filed under: (in)secure - code | Tags: anti, csrf, javascript, json, php, protection
Comments (6) As maybe you already read the article new fashion, new ways (or not) article which presented a couple of methods on how to protect against CSRF, and which was though to be a good protection, especially the tokenized method (which is the preferred, and advised) though bulletproof… just thought, because recently while surfing blogs with blogsearch.google.com found out that the method I presented ain’t so fail proof as I though at first.
And as I don’t want people to complain that the code I provided won’t do what it’s supposed to do, I came up with a way to prevent CSRF from this new (actually not so new) method.
But first, for the ones that are too lazy to google for the answer, I would like to sum in a few words how the token method can be bypassed. Actually the concept is very simple (wonder why people haven’t though for it till now): get the page with the form (which contains the token) and build your custom form along with the grabbed token. Sounds simple, but how do we get the token? Through AJAX would say many, but that’s not the case because AJAX has a same site policy (can’t/will not grab requests from other websites). Intrigued by the method used for the request I found out (took me quite long 5-10min) that it could be done via dynamic script tag…
Back to our stuff… The way to protect against this CSRF protection bypassing is… is… yes you guessed it (damn title), by regenerating the token. But this has to be done via AJAX (try to make it without AJAX <- challenge)… Firstly our regeneration function… and an AJAX module php script (don’t know if it has a proper definition; you’ll understand later on)
—
//file name ajaxphp (for demonstrative reasons)
if($_GET["mod"]==”rtoken”) { regenerate_token(); }
//more functions can be added here
function regenerate_token() {
$nToken = rand();
if($_SESSION["token"]==$nToken) {
regenerate_token();
}
else {
$_SESSION["token"]=$nToken;
return md5($nToken);
}
}
—
And implementation in the page itself
—
<html>
<head>
…
<script>
function newtoken() {
//initialize xhr which is the AJAX object
xhr.open(“GET”,”ajaxphp.php?mod=rtoken”, true);
xhr.send();
//the onReadyStateChange stuff
document.myform.token.value=xhr.responseText;
}
</script>
</head>
<body onload=”newtoken()”>
…
<form name=”myform” action=”whatever.php” method=”post”>
<input type=”hidden” name=”token” value=”" />
…
</form>
</body>
</html>
—
And that’s it, we solved the problem… or at least I think (hope so), if not give me some feedback on other methods (if available) to bypass this method… Disadvantage from the previous (vulnerable method <- sort of) is that this one uses javascript code… but protection comes at a cost…
No Root For You: A Series Of Tutorials, Rants And Raves, And Other Random Nuances
Filed under: is - news | Tags: book, Gordon L. Johnsonn, leet upload, no root for you
Leave a Comment This is the name of the book that Gordon L. Johnson (leetupload webmaster) will release in the mid of June (this year). Althou I can’t write a review on it (dah!) I supose that there will be some interesting chapters (at least caught my attention)… going to mention them, but firstly let’s see what has the author to say about it?
The book is about network auditing, consisting of a step-by-step tutorial guide explaining how one would go about auditing, securing, and learning why certain exploits work, etc.
Short description, but at least there is table of content from which we can (majority of cases) deduce the content of it…
Chapters awaiting to read: Words of Wisdom: Reason for Pursuing Security (love intro’s), Romancing the Victim (I’m a romace guy too), Gas Lighting is Always a Good Thrill (wtf?), Computer Modification #1, Computer Modification #2 and A Series of Uncut Rants and Raves…
Ancient history
Leave a CommentNot really ancient history, but personally I would like to call it that way… Recently by diging up some old emails found a little attachment called Metalfish, which if you’re curious holds mIRC script files; so basically it’s a mIRC script which I made long-long-long time ago, I think about 6 years ago… Frankly I could say it’s a tiny and sexy little script (not because I’ve made it), but people in the mIRC script comunity didn’t think that way because it wasn’t accepted on known mIRC scripts websites…
Anyway, why is it so special? Because thankfully to this script I started scripting, webdeveloping, programming, etc. As you might imagine it can be considered somehow of a starting point (lame -> maybe) which I really do appreciate very much…
If you want to take a look at it: http://www.2shared.com/file/3333955/cb4db96f/Metalfish-v15.html
P.S. I’m sorry that I had to store it on 2share because personally I prefer mediafire, which by the way said that the file may be infected with a trojan (not).
woot free shells
In the last period I was surfing around for free *nix shells, sadly very few have been found! And no, I wasn’t looking for shells that would allow bouncers, eggdrops, or any stuff like that… just for the classic type of shells: some megas (even 10Mb would suffice), decent scripting languages enabled (php/perl/ruby) and some sort of code compiler (Yes, GCC)…
As many would recommend I tried lonestar, but as some of you already know you must pay some $cash to have access to the scripting languages and C compiler… Anyway googled a bit and found some “free shells” that didn’t require cash for registration but a postcard… who would send a postcard for a free shell? I wouldn’t!
The point is that GOD gave me a hand, and I found singularity.darkspace.info , free registration, compilers, scripting language… all in one.
The only disadvantage (because there is always a disadvantage) that the administrator has to manually validate your account, which may take some days…
Hope you google fuckers (like me) will find this interesting, because I know how painful the web can be…
Finally I can jump into overthewires wargames… shell out
Got new bait?
Filed under: (in)secure - code, research - custom | Tags: dns, hosts file, phishing, privacy, spoof
Comments (2) Maybe this is something already used (no wondering about it), but it’s worth mentioning…
Real life fishing never has been my favorite activity, not even in my top100 activities, and as imagined phishing neither… I simply hate planting baits and waiting for someone to fall in my net; and I do see phishing as real life fishing, it’s all about practice/patience/technique, of which I can say that I posses only the last one; however I bough a new type of bait…
Yeah I’m not speaking of any new phishing method, or how to hide your fake copy website’s domain; I’m actualy re-domaining it (new words in here) by manipulating the hosts file (nothing fancy)…
Next time you’re going phishing remember to take with you the new bait… and why not plant it in iCafe’s for more fish to be catched… How should you use it without complicating stuff? by using the following commands:
—
echo # >> %WinDir%\system32\drivers\etc\hosts
echo malIP dom.spoof >> %WinDir%\system32\drivers\etc\hosts
—
The # insertion is needed for a new line, the rest you can deduce what it has to be, also if you want to have it on one line (more compressed) and more insertable in shellcode’s then have the following form:
—
cd %WinDir%\system32\drivers\etc\ && echo # >> hosts && echo malIP dom.spoof >> hosts
—
If you catch big fish with this, I don’t mind sharing it… you know, I am usualy hungry… especialy if you catch a CatFish…
