First of all I appologize to my existing readers. I never meant for this site to be non-technical (far from it). However, yesterday I got an email that really needs to be dealt with on this blog. So for this entire post I am going to keep this as non-technical as possible as to prove a useful tool to point people to when they find themselves with web application vulnerabilities. Yesterday, Nukecops.com attempted to shut down ha.ckers.org.
It all started on September 28th at 11PM PST when Ghozt disclosed a POST cross site scripting vulnerability in nukecops.com. While Ghozt has been a member of the web application security forums for a while, he is not an administrator of the website. On the 29th we recieved this email forwarded to us by our upstream provider (forgive the formatting - it’s gone through a number of forwards):
whois indicates you are hosting the server ckers.org at
A user is using this server in an attempt to exploit our server through the file
It is likely that they will continue to use this and attempt to hack other servers. This is a violation of your Acceptable Use Policy as stated here: http://www.sonic.net/support/docs/policy.shtml
We hope you will remove this user and ban him from your service.
———- Forwarded message
———-Date: Sep 29, 2006 2:59 AM
Subject: Blocked abuse from 184.108.40.206
Date & Time: 2006-09-29
08:59:05 CEST GMT +0200
Blocked IP: 220.127.116.11
User ID: Anonymous (1)
User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:18.104.22.168) Gecko/20060909 Firefox/22.214.171.124
Query String: nukecops.com/modules.php?name=Search&query=<script+src=http://ha.ckers
Get String: nukecops.com/modules.php?name=Search&query=<script
Post String: nukecops.com/modules.php
Forwarded For: none
Client IP: none
Remote Address: 126.96.36.199
Remote Port: 38026
Request Method: GET
– Evaders99 Webmaster of http://www.SWRebellion.comSWCIC - http://www.swcic.net NukeCops admin - http://www.nukecops.com
I had thought after the fallout with Acunetix and F5, companies would wise up. But let me start by explaining my view on why this site exists. It’s a personal tale, but I think it’s one worth telling. I’ve been working on security for the last 12 years. That’s a lifetime in the security space. In that time I’ve seen countless security holes and countless ways to mitigate those holes (build a better firewall, or apply a patch and poof, you’re secure). For the first time in my life, I really don’t know how to solve these issues. Not from my own perspective, but from that of two people I happen to care about - my own parents.
So I gave them the best advice I possibly could that I knew would stick. I told them to not open any spam they recieved. That is the single greatest conduit they have for getting malware on their system. They are not the type to go surfing around random places on the internet, or downloading pirated software or otherwise visiting the darker parts of the net. However, they ARE likely to visit their banks, or stock pages, or bulletin boards about their hobbies. In the end, for as smart as they are, they are also great candidates for XSS credential theft, or otherwise having their identities stolen. There’s nothing I can do to protect them that 0.1% of the time they are in danger that wouldn’t make the other 99.9% of their web surfing experience worse.
No one is perfect at application security, and the point of the full disclosure list is not to out companies, per se. It’s to raise awareness of the issue and get people thinking about how the attacks work in real life, as well as how to mitigate those attacks. All this for the eventual purpose of protecting those people who don’t have the means to do so themselves. This is a web application security lab. We run tests. We gather data. We report on that data. I’m not out stealing people’s credentials, their data or their livelihoods. That’s not my style. There are better ways to make money.
What I, and the others on the web application security forums are attempting to do is explain to companies where their holes are, and we are finding out a great deal of information by aggregating it all into one place. So much so, that at least two great findings have come directly from the posts that people have made and the research that goes into finding these issues. Nukecops.com is not special. In fact, I don’t even consider them an especially interesting target. No, they aren’t good at security, and they are even worse at mitigating the risks, but they aren’t any different than any of the other sites. Frankly, if I never hear the word “PHPNuke” again in my life I’d be a happy man.
I hate to bring up the Visa redirect issue again (I find it annoying to call people out for their mistakes when they make good on them), but I was so impressed by them that I think it’s worth mentioning once more. From start to finish the issue was disclosed, they verified the hole, and fixed it all within 30 minutes. Not only that but they forwarded the users to an anti-phishing page to help educate them. That’s exactly the right way to deal with the issues. Fix them and move on. Protect your consumers by taking responsibility for your website and fixing the known issues as expeditiously as possible, not by shutting down the single greatest repository for the information on how to protect them from those very same holes.
The problem with XSS is that each hole I find (with only a few very rare exceptions) is ridiculously easy to fix if you look at it under a microscope. The problem is that fixing one issue won’t stop any bad guy from looking for the other one that wasn’t fixed. So without proper tools to locate and diagnose every hole on the Internet, the best we can do is catalogue the cross site scripting vectors, and discuss mitigation concepts. The only way to do that is to proactively find issues in real web applications by testing their filters for real world mitigation circumvention. Additionally, I poke at every browser for how they interact with websites for the possibility of finding ways in the browsers themselves to protect users or new holes that need further consideration.
No, I don’t work in security - I do this out of my own interest in it. I don’t directly benefit from it. In fact it is very difficult to run this site. I do it for my parents. I do it for your parents. I do it for the millions of consumers who make up the financial future of the Internet that we all use. I know the futility in the concept, as there will always be security holes, but by shutting me up you are only making that problem worse - not better. The holes don’t go away when people like Ghozt don’t have a place to post them, all it does is lessen the pressure on websites like nukecops.com to take responsibility. And who knows, without a place to post, perhaps out of frustration, he or others would resort to more malicious activity after having been ignored once too many times - having lacked a proper constructive outlet.
So even as I put Evaders99 on my list of people who clearly don’t “get” it, there is still hope for him and other people like him to take the correct approach and solve their issues and protect us as consumers. This doesn’t mean they need to issue a press release, they simply need to fix their own known issues so people like my parents can use the Internet without risking their financial security in doing so.