Cenzic 232 Patent
Paid Advertising
web application security lab

Links Roundup

I’m falling way behind in links that people have been sending me, so rather than post about each one, I’m doing something unprecedented on this site and throwing them all into one post. Yes, there’s lots to talk about, but I’ve been swamped over the last few weeks and will continue to be swamped for another two weeks (on a long term client engagement). So here goes:

Today christ1an launched a new new aggregation website for web application security called Planet-websecurity.org. If you want to get all your web app sec news in one place, this might be a useful service for you to check out. Right now there are only 7 sites or so being culled together (this site is included) but I’m sure more will come in time.

Blogspot is vulnerable to HTML and JavaScript injection. Erwin Geirnaert emailed me about this one a while back and I was a naughty boy and didn’t post it. You want to put up a phishing site on Blogspot? Well it’s easier than you may think. No obfuscation required, just add your own JS and you’re off to the races. Bad, Google, bad.

There are many XSS vulns in Wordpress themes. This is an oldy but a goodie. I don’t use any downloaded themes, because they never go through any sort of third party review (or first party for that matter). And if you don’t want to take my word for it, check out this site. Nasty.

It’s the National Internet Safety Month in June. Do you think we’ll see any drop in identity theft? If the US government is doing campaigns on how to protect yourself, and most of us haven’t even heard about it, I think the money is probably not particularly well spent - especially considering how education doesn’t equate to a drop in fraud ratios. Why can’t I choose not to spend my tax money on things I know will fail? Wouldn’t that be nice? More info on Mustlive’s site.

Ken Clarke sent me an email a while back about how the FBI is having a bot roast. Let’s break the backbone of robots! While a cool project, I’m not sure they are going to get too far without help from the community. I’d love to see a clearing house for this stuff, a la APWG and Cloudmark. Anyone have some disc space and want to write a plugin into mod_security? I think you’d have a big reaction from the community.

Sorry for being so behind on some of this - some of this stuff is a month or more old, but it’s still interesting, and I just never found the time to write about any of it.

16 Responses to “Links Roundup”

  1. Edward Z. Yang Says:

    Editorial note: You’ve duplicated links for Blogspot and Wordpress.

  2. RSnake Says:

    Thanks, Edward! I fixed it. Too quick on the copy-paste!

  3. christ1an Says:

    That Blogspot is vulnerable to XSS is pretty old news by the way.

    http://xss-poc.blogspot.com/
    http://xssvulnerabilities.blogspot.com/

  4. RSnake Says:

    Yup, as I said, some of this is very old. :)

  5. Anonymous Says:

    http://www.mixpanel.com/search/?filter=1&sort=2&cat=3&page=1

    It has an extensive security section, something to be rivaled with IMO.

    Tons of XSS related blogs are on there including this one.

  6. christ1an Says:

    Not bad but I think “tons of blogs” are a bit too much to check on a daily basis. I’m curious to know whether the planet is going to work ;)

  7. Awesome AnDrEw Says:

    I don’t speak Dutch well, and from what I gathered the issues with Blogspot were simply creating an entry using a script. Does this really count as XSS? Sure you can phish data in this manner, but many websites, with blogs in particular, allow you to post whatever rich data you would like.

  8. Kishor Says:

    Unless the XSS is on blogger.com domain, its pretty much a ‘feature’ rather than a vulnerability.

  9. LakeHouse Says:

    I didn’t think Internet Safety Month was geared as much toward identity theft as much as safe practices for children online. I understood that it was an attempt to educate parent, teachers, and kids about the dangers of online predators and to encourage safer social networking practices online. As far as sites are concerned, I know NetSmartz411.org has been talked a lot about. It teaches parents ways to monitor their kids. If parents have questions, they can even email them to this site and they respond with personalized answer.

  10. RSnake Says:

    Yes, a feature that allows me to phish users. Wonderful feature there. :) Way to go Google.

  11. RSnake Says:

    @LakeHouse - I think it is that and more, although you may be right that that is how a big part of it. Here’s one link: http://www.ncjrs.gov/internetsafety/id_theft.html

    So perhaps it’s both? Either way - I doubt highly that it will have any impact whatsoever. We can compare notes this time next year though. ;)

  12. Kishor Says:

    Do you absolutely require blogspot for phishing users? Find XSS on any site and add your script to it. You may argue that more users will trust blogspot.

  13. Ronald van den Heetkamp Says:

    @Kishor

    This is already being done, there even haven been found instances of phishing links on the index of blogger.com. it is very profitable to generate a couple of phishing blogs.

    And remember if XSS is possible on the blogger.com domain, this sets also plenty of other threats, just like the DOM storage engine in FF which allows cross site scripting on a single domain.

    It is just bad security and it needs to be fixed, thats why i have a terrible time visit bloggers, for this reason alone.

  14. RSnake Says:

    @Kishor - Ronald is right on the money, no, I don’t need any one site in particular, does that mean I can’t phish on Blogger? Absolutely not. Should they be added to Google’s own blacklist if they are shown to have phishing sites on their own domain? Absolutely. Will they? Probably not. It’s just bad practice and needs to be fixed because lots of people willingly type their passwords into sites they think are trustworthy.

  15. decimus Says:

    and I use blogspot. havent known that its so easy to do java script injection… :-(

  16. dotacje unijne Says:

    @decimus: dont be worry blogspot is now more secure!
    regards