Cenzic 232 Patent
Paid Advertising
web application security lab

Owning Ha.ckers.org - Or Not

Some people think I’m paranoid - as if the world is out to get me. Honestly, I’ve always just thought I had a healthy dose of reality. As a result I’ve taken some pretty insane precautions with this site to protect it from itself and it’s owners (myself and id). Thankfully, that time was well spent. Although yesterday I realized it probably just wasn’t enough. Sirdarckcat and Kuza55 decided they wanted to own ha.ckers.org by defacing it. Alas, not only were they unsuccessful, but they were unsuccessful in several different ways. Here’s how it _should_ have worked.

Firstly they posted a relevant looking link to one of the posts with a link to a site that I wouldn’t recognize, to social engineer me into looking at it (http://ultimatehxr.googlepages.com/httpresponsespliting.html). Btw, thanks for hosting malicious content, Google - way to keep your site clean! Next, they pop open two iframes - one to the paper in question which is actually written by someone else, and the other to a site (http://www.x.se/xjcj) that performs a redirection to Sirdarckcat’s site (http://www.sirdarckcat.net/blah2.html).

Next, the wannabees attempt to use the CSS history attack to detect if I have posted to this site. In doing so (without JavaScript - thinking that I use NoScript for all my JavaScript protection) they pop open an iframe to my site: (http://ha.ckers.org/xss.swf?a=0:0;a/**/setter=eval;b/**/setter=atob;a=b=name;) which is a vuln in NoScript. The “name” variable corresponds to a huge embedded payload. That payload contains a XMLHTTPRequest that automatically posts their content to this site, with an additional bonus of a tracking pixel so they can see that it worked. Yup, that’s how it should have worked. Nope, it didn’t.

While we have some pretty insanely good mechanisms for protecting this site ultimately we did have one hole, which was rectified by simply removing access to xss.swf - so if you used it for testing, I apologize, you can blame Sirdarckcat and Kuza55 for making your testing harder than it needs to be. I tried to provide access to tools, despite the additional personal burden of upkeep, but when they are abused I have to remove them.

So now the real question is what should I do about it? I went from being pissed off, to dumbfounded and back again. I decided not to post this yesterday for a few reasons, but mostly to collect my thoughts, but I still haven’t come up with anything I’m particularly in love with. Clearly banning won’t work aside from IP bans, and nuking their existing accounts on sla.ckers, both of which they could easily evade, so I’m a little short on options.

Do I publically humiliate them? Do I remove all references to their pages everywhere on the site, since both of their sites should be considered malicious at this point? Do I post their docs? Do I test out the extradition treaties of Mexico and Australia (their respective countries)? Since they were doing it for credit do I show all the ways in which they were insanely sloppy (like building a site with my name on it for testing http://rsnakex.wordpress.com/)? Do I close up shop because my own readers are turning on me for no apparent reason (one of whom I had made a potential offer of a future position within my company - and no, that is no longer on the table)? I’m stumped. But one thing I do know - I’m not wearing a tinfoil hat for nothing.

76 Responses to “Owning Ha.ckers.org - Or Not”

  1. Sid Says:

    I’m pretty sure this was in the name of fun and was a practical joke. I very much doubt there was any malicious intent.

    While I’m glad their joke failed I’d have been more happy had it succeeded. Not because I want your site to fail (I don’t), but because the prank would have been successfully pulled off.

    I really don’t think you should punish them at all for this. I can honestly say I wouldn’t.

  2. CrYpTiC MauleR Says:

    Kinda sucks since Sirdarckcat in my opinion is very knowledgeably in JavaScript. Both have contributed very interesting posts on the forum and personally I think removing them would also remove that pool of knowledge from being shared with other members. Yes, they did do bad, but should be punished by public humiliation rather than removing references to sec contributions. Visitors should be aware that visiting any site that hosts malicious code be it live code or a text file should be considered hostile.

  3. Adam-_- Says:

    I’ve not commented on here in a while (or even visited tbh) but I’m very supprised that Kuza55 would do that. When I did visit here a fair bit he seemed pretty active and helpful!

    Maybe it was just a halloween joke?

  4. Awesome AnDrEw Says:

    I noticed the link the other day, but didn’t bother to give it a second look. No reason to close up shop though rsnake, because as I’ve told many people before you can’t please everyone. “There are two types of people in this world: Those who like me, and those who can go to hell.”

  5. Ronald van den Heetkamp Says:

    Pretty lame to try it out, I told RSnake I personally never tried anything on .ckers.org for the reason that most stuff is an aid in testing sites, and he probably covered most holes. The holes left are useless ones, like any site got them.

    I’ve got tools running also, hey did you know you can execute a XSS on: hxxp://browserfry.0×000000.com ? go on, own me, just for providing the tools.

    Just remember I never had any holes other than the features I intentionally provided. Does it makes this an vulnerability? of course not, it’s just wanking.

  6. nEUrOO Says:

    I’m also surprised they did that for malicious purposes…

  7. ChrisP Says:

    The fact that their attack didn’t succeed and that you were able to easily demonstrate why proves you’re a (big) notch above them. You beat them at their own game, they’re the losers.

  8. RSnake Says:

    I don’t know if it was a joke or not, but it certainly was intended to make me look bad. From a snippet of the payload, ‘[snip] the vendor is a security “expert” and needs to “secure their shit!!!1111″?’ I didn’t realize they were starting a defacement crew. Lame.

  9. char Says:

    When you were thinking about what action you took concerning this. You made a mistake choosing this one.

    We appreciate knowledge. You understood the security implications of putting that swf up. If you wanted you could have made a testing domain.

    You can’t blaim people here for exploiting vulnerabilities. You can blame these two douchebags, for braking a circle of trust you might have placed them in.

    But using phrases like “extradition”, “my readers turn against me”, … and more is just lame.

    I certainly feel, like I wasted my time reading and commenting this article.

  10. RSnake Says:

    @char - I was being somewhat rhetorical, although the thought of prosecution definitely did cross my mind, since I have been talking with the Center for Democracy and Technology (they are a government advocacy group) as they want to add in the CSS history portion of that exact hack as an actual illegal activity. Obviously the rest of the attack was illegal, even if it failed. Despite that, no, I’m not going to call the authorities about this.

    But I’d like to correct some of what you said. When I put that swf up (more than a year ago) it wasn’t exploitable in any known way. I also wasn’t aware of the setter vuln or I would have taken precautions. Also, I don’t think you understand how this attack works. It basically makes the assumption that I trust my own domain(s) by whitelisting them in noscript. It wouldn’t have mattered that I put it on another domain. Once they had their JS running on my browser (on some site like test.site.ckers.org) they performed a CSRF form post, which could have been to another (in this case ha.ckers.org) domain.

    I’m sorry if you found it to be a waste of time. Many other people find this kind of thing interesting (there has been a lot of off-line talk about this), especially the use of the CSS history portion of the attack (which I also find amusing because a number of times I have been fought on the legitimacy of it as an attack vector). The irony is thick.

  11. Withel Says:

    You guys take yourselves way too seriously…

    Nothing personal, RSnake - I’m a fan of your blog and you’ve contributed A LOT to my knowledge.

    But honestly… Unless the payload really contained something “aggressive” (it all depends on that), this post sounds ridiculous. So do the char’s comment.

    Anyway, the description of the [failed] attack was really interesting, and worth reading.

    Please, keep up the good work with your blog - that’s the web: I’m sure this wasn’t the first time (and won’t be the last) someone tried to own ckers.org (for fun, profit, or lameness)… I’ve already tried once or twice! (kidding!)

  12. RSnake Says:

    @Withel - It’s definitely not the first time we’ve been targeted. I think we get several hundred legitimate hack attempts per day (it all bounces right off the site’s security defenses obviously). However, I think I was somewhat offended at their intentions, given that it wasn’t simply academic. It’s not like they just wanted to prove they could do it, they had a whole huge post written to ridicule my security (which turns out to be ironic given that it failed).

    I guess it all depends on your definition of aggressive. If it had succeeded it could have theoretically hurt my reputation or cost me work in the future. I can’t predict what the outcome would have been. Ultimately, I take it seriously. Granted, I think this site is a huge target, but we do what we can to mitigate that risk so that readers of this site can have a relatively safe place to learn. With other (malicious) people in control of the site, you’d be taking an even bigger risk visiting the site than you already do.

    But you’re right, I tend to take this kind of thing pretty personally. I guess that is amplified by the fact that the exploit literally had my name all over it.

  13. ascii Says:

    “extradition”

    “my readers turn against me”

    “Despite that, no, I’m not going to call the authorities about this.”

    “since I have been talking with the Center for Democracy and Technology (they are a government advocacy group) as they want to add in the CSS”

    damn rsnake, hack the hacker (TM) is okay until it’s for fun, or not?

    sorry but in this post you look like a dumbass, if they are the juniors and you the experienced one please act accordingly making fun of them and taking your “revenge” in an ironic and mature way

    this seems a bit too much to me and probably you are not making a good show as it could have been, while i totally respect your ideas, everybody takes it at it’s own way and every time differ

    i really hope in an early pacification

  14. kuza55 Says:

    @RSnake:
    We’re sorry, we really didn’t think you’d react this way. It *was* meant to be a practical joke, and the message was meant to be light hearted. What you quoted ‘[snip] the vendor is a security “expert” and needs to “secure their shit!!!1111″?’ was meant to be sarcastic, and I was just poking fun at al the defacement crews who run around screaming that.

    I am EXTREMELY sorry that you feel we want to turn againt you or make you look bad. If we’d known you would have thought this we would have reported it to you.

    Furthermore its a simple fix to the Flash file (just add a semicolon to the end of the getURL parameter to make it look like this:
    getURL(”javascript:alert(’XSS’);”, “_self”, “GET”);

  15. kuza55 Says:

    Me and sirdarckcat both look up to you. We made a bad decision here, clearly. We just thought it would be a practical joke. We understand that XSS issues can and do happen to anyone.

    If I had known you would see this as a sign of any kind of disrespect we would have stopped immediately.

    Again, I am so exceptionally sorry that it seemed disrespectful, and frankly, it is all MY fault. sirdarckcat is completely innocent here, this was my idea of a practical joke. Clearly it was not, I am sorry :’(

  16. kuza55 Says:

    Is there anything I can do to make this right in your eyes?

  17. Ronald van den Heetkamp Says:

    @ascii

    Try to run such a site yourself, then judge. It’s like waking up and reading the bullshit posted all day, seeing countless attacks on your server, all doing the same stupid thing, even with their home IP. Personally I get tired of people trying to SQL inject me, or even XSS attack me, leaving all their fingerprints around it, making so many requests that bandwidth is increasing each time etcetera.

    It’s always easy to judge something and comment on something, it’s a different ballgame to actually providing tools and putting trust in readers. If there was a REAL hole I would not have any trouble of mentioning it, but a defacement or attempt to, or even xssing tools that you can freely utilize while RSnake is taking the full hit when that URI is being found in serverlogs from PayPal or even the Pentagon is something to repect.

    On a peronal tone:

    I think it’s lame, real lame. Cuz it doesn’t impact anything then looking silly yourself. And yeah indeed it did, when Stefan Esser mocked PDP’s CSRF tool, I showed that Stefan has a bigass XSS hole in his own forum, leaving him a dumbass. Since that time I shut down any comments on my own blog, just because i got sick and tired of this hatred against eachother, I told this before but it is true, the ratio of comments ran from 90/9/1.
    90% crap, 9% posters who are really interested, and 1% who really contributes.

    Now that I’m only reachable through e-mail, I get only the good stuff, people who sit down and take the time write an e-mail to discuss something, instead of squirting it all over the place in a blaze of boredom.

  18. RSnake Says:

    @ascii - I never look for fights. If there is an easy way to rectify this, I assure you I will.

    @kuza55 - there is no way sirdarckcat is completely innocent, his site hosted the malicious code. So while noble, it’s pretty transparent.

    Anyway, let’s take this conversation to email. No need to prolong this thread.

  19. char Says:

    Yeah, shame on me for not researching what vulnerability you were actually talking about.

    I was just reacting to your apparent “angry state”. Which I would expect from somebody who doesn’t understand, or previously anticipated the risks.

    Right now I can’t track anymore who was being, retorical, sarcastic, ironic. But I conclude this is somewhat of a non event. No matter which governement body you involve in the discussion, that parts of their attack might be “illegal”, do we even care?

  20. thornmaker Says:

    rsnake - I apologize too for having been ‘in on it’. I can honestly say SDC and Kuza (and I) are among your biggest fans, and nothing about it was meant to make you look bad. The main intent was to highlight several new tricks (like the css browser history hack, the JS setter trick, the eval name trick, and others) by combining them into a Halloween sort of a prank. Had it been successful (or not) we knew you would be immediately alerted to the fact that _something_ had happened, and the trail was made easy to follow so that you could undo the post within minutes.

    Again, I am sorry for the poor judgement on our part and that it was not received as intended. I’m sure SDC would have already responded as well, but he is gone for the weekend at a coding competition.

  21. ascii Says:

    @ronald: sorry didn’t get your point but i don’t want to add more noise. i guess you were telling me something like “why people attack instead contributing?”, if so i totally agree

    @rsnake: glad to see an opening. it would be really sad if an agreement of some type wouldn’t be reached between “us”, that consider ourselves somehow smart


    always for peace and good l(i|o)ving

  22. Jib Says:

    For some reason I thought I recollected reading somewhere on this site that under no circumstances should users of the site target the ckers.org domain in any type of attack, testing or otherwise. I don’t post frequently, but I certainly read frequently. These two have posted some good stuff in the past, but I will look twice when reading their contributions going forward.

    @RSnake - maybe you can modify WordPress to have some sort of “Tar and Feather” icon next to names of people whose contributions should not be fully trusted.

  23. GlassHouse Says:

    Lets be honest here RSnake. You’re an XSS/JavaScript/CSRF ‘hacker’ and someone tried using the flaws you preach about against you. You use the handle ‘rsnake’ which tells us you know your audience as well as what they may do to you. This shouldn’t be a big deal since it failed.

    The fact it failed you can laugh about and stand on a higher ground (good for you for stopping it!). The fact is you cater to this audience and teach/preach these exact sorts of issues. Consider this an attempt by a reader to own their ’sensei’ so to say.

    In a nutshell
    - Good for you for not being owned
    - Bad for them for trying/failing
    - Good for you for hardening your site, this isn’t an easy task
    - Bad for you expecting a hacker audience to never seriously attempt exploiting you. Bad for you not taking it for what it is and complaining about it.

    Consider this an example you can tell your customers about. Tell them some of the best people out their almost owned you and failed because you’re the XSS/CSRF rambo of the web.

  24. roberta Says:

    Hacker drama! :)

  25. sirdarckcat Says:

    Hi

    oh, rsnake I’m so sorry about this.. I promise this was a simple joke, we found the XSS (actually I thought it was broken, but.. “it was broken in a fun XSS way”), then the NoScript filter setter bypass vulnerability, and well, we had everything.. Any way, we knew you where going to find out immediatelly about the bug (since it included an alert(”XSS”)), and you where going to delete it immediatelly (this was a joke for you, not for your readers).

    The reason I hosted all the exploit at www.sirdarckcat.net and not the fake googlepages.com domain, is because I wanted you to know that we where the ones that made it (so if the exploit was unsuccesfull, you could easily track everything down, and we even commented the CSS so you could easily understand it, since it was a little confusing, since it used “the history” stuff, a NoScript vulnerability against IFrame protection, and a CSS bypass rule for detecting the .htaccess).

    Well, since this exploit had all the research made the last month, by almost all researchers of webappsec, we wanted to show one cool advanced one, sorry if this was unpleasent, we just wanted to have fun, and come on, the text inside the blogpost was very naive and cool, if we would really wanted to attack you, we would added other type of payload.

    Any way, sorry again, we are still big fans of you, and we thought you would take it cool, sorry

  26. RSnake Says:

    Look, I’m not a bad guy, and frankly, I don’t care if you guys want to have fun. That’s just not at all how I read it when I saw it. Maybe the wording was poor, maybe the actions were poor, either way it was mis-interpreted. Kuza55 and I have been chatting over email and yes, there was some trust broken, but I can see why you guys wouldn’t think this would be a big deal. Maybe it wasn’t the best judgement call, but I don’t think you guys had malice in your hearts, and that’s the most important part to me. It’s a non-issue since it wasn’t successful, but let’s just keep that kind of stuff to a minimum going forward. Anyway, it WAS a cool hack, had it worked and it’s definitely fodder for future speeches (since I’m on the speech circuit lately). Just remember the number one rule of sla.ckers is don’t spam/hack the spammers/hackers. If that’s not too much to ask….

    I may not be able to bring peace to the world, but I do have the power to put an end to this. Thanks for apologizing kuza55, thornmaker and sirdarckcat. All’s forgiven.

  27. fixitchris Says:

    @ha.ckers org - Rsnake is completely within his rights, and dude, you should not back down. If this were me , their trust would be gone.

    The payload speaks for itself; those elite wanna bees who still spell Es with 3s are stuck back in the eighties man and they wish they were as good as you, unfortunately all they know is how to slap a string into the payload, all other code isn’t theirs.

    So Rsnake, keep up the good work man. Your anger and disappointment is fully justified.

  28. sirdarckcat Says:

    @fixitchris:
    I’m sorry to tell you that we dont speak with “3″s instead of “e”s, and that the code in the payload is ours, except for the CSS History.

    Oh, and I was born in the eighties, so I doubt I am stuck back there lol.

    Anyway, if all the payloads look the same to you, you may need to learn a little more :).

  29. Giorgio Maone Says:

    For those who did not notice yet, the setter+name XSS bypass (which, by the way, could work only against server-side holes like this where there’s no need for HTML injection, just pure script) is defeated by current NoScript (1.1.7.7), released yesterday and delivered through automatic updates.
    Many thanks to RSnake for making this public.
    Sirdarckcat apologized with me as well for the silent “0day”, let’s hope the kids really changed their mind: http://hackademix.net/2007/11/05/youngsters/

  30. TheHorse13 Says:

    In the words of our hero, the comic book guy, “Worst post ever.”

    Actually, after reading your original post, they clearly left a trail a mile wide as to who was responsible. My first thought was that it smelled like a joke for that simple reason. Anyway, I hope everyone gets matters hashed out.

  31. H D Moore Says:

    It is all about intent. Using a bug to post a “hey, neat, a xss flaw!” is a lot different from try to inject an insult. In terms of embarrassing them, I think your job is done. Fscking losers.

  32. PotAndKettleAreBothBlack Says:

    So did Matt Cutts act any differently when you did the same thing to him?

    http://ha.ckers.org/deathby1000cutts/

  33. anathema Says:

    Great attempt guys but common decency states that you don’t shit on your doorstep.

    I understand the longing to test out a decent hack but if it was for Robert to find as you state then why the

    “[snip] the vendor is a security “expert” and needs to “secure their shit!!!1111″?’ ”

    Anyway moving on - nice way to comile loads of stuff in the wild,
    and nice one Rsnake - for finding it and dealing with it.

    I would hover like a really detailed break down of all the code used and how it was foiled.

  34. kuza55 Says:

    @anathema:
    That was my idea of satire…obviously not expressed well enough, and i think its being posted a little out of context…..I was kinda referring to Stefan Esser’s little spree last year where he tried to make fun of pdp/Shiflett about having XSS holes in the tools they provided, which I thought (and still think) that it was a complete over-reaction on his part.

    Anyway, if you want to see the whole post go Giorgio’s post: http://hackademix.net/2007/11/05/youngsters/ for the full payload (though I swear, ours actually had some paragraphs & formatting)

  35. anathema Says:

    After reading the whole of the message I think it was but Roberts post should have contained the it and not a misleading snippit.

    its obvious that no malice was meant. (but I guess for Rsnake this is his window on the world and is also seen by customers as well as other researchers so a defacement could cost business?)


    0wning RSnake For Fun and PageRank

    So, you’re sitting on the sla.ckers.org irc channel one day and someone is poking around with one of RSnake’s tools, and finds that its not working, or at least that’s what it seems like untill they realise that its not just broken, its broken in a fun XSS way :) - what do you do? Do you: a) Urge the person to report the problem to the vendor (RSnake), and get mad props for being awesome? b) Scream about how the vendor is a security “expert” and needs to “secure their shit!!!1111″? c) 0wn the vendor for Fun and PageRank Well, to me, the answer seemed fairly obvious. Since the “Evil Advertising Empire” (Google), cue ominous music….now, had done a little dance and increased the PageRank of our blogs, we had gotten a taste of the power which we could amass, muahahaha, and we wanted more! Or at least I did….. So anyway, Hey RSnake :) Thanks for the free advertising space. Anyway, credit goes to: sirdarckcat for not only being generally awesome, but finding the actual exploit. thornmaker for (inadvertently) providing us with a method to get our payload through NoScript (Javascript variable setter’s and window.name FTW!), so umm, hey thornmaker :) Gareth Heyes for doing that awesome research on selective payloads using CSS, which where implemened in the exploit. kuza55 for not really doing anything, but being in the right place at the right time but being able to get some free Googlejuice from things anyway :p Oh, and, of course: XSS! We now return you to your regularly unscheduled posting ;) - kuza55 & sirdarckcat P.S. Thanks for directing carja.ckers.org to 127.0.0.1 :) P.S.2. Sorry .mario, NoScript is the new attack playground :P, we’ll be back to php-ids ASAP.”

  36. Victor Says:

    Phew! glad thats over. I bet we all learnt lessons from this one. Hey I didnt know U could beat noscript with that. *SWEET* RSnake well done (Still my idol man!). I guess we’re back to being one big hacker family lol

  37. RSnake Says:

    Thanks everyone for the comments - for a detailed look at how the exploit works you are welcome to click the URLs and investigate. Everything should look and work the way it did, minus access to xss.swf until I’m convinced it’s secure (and as of now, it’s not for some small subset of users who haven’t gotten the NoScript upgrade). The rest should be pretty straight forward if you know how to Base64 decode the payload.

    @PotAndKettleAreBothBlack - Please (re-)read “Death by 1000 Cutts”, I never hacked Matt Cutts, I never even tried. I just wrote a paper explaining how it was possible - I even sanitized his info, which I was under no obligation to do. *sigh* Google fans.

  38. sirdarckcat Says:

    HDMoore:
    we didn’t posted an insult, the post was something like:
    http://rsnakex.wordpress.com/

    take out the smilies, its simmilar to the one posted by anathema and giorgio, but with some format :P

    Greetz!!

  39. kuza55 Says:

    @RSnake:
    Check your email, we figured out what was the root cause of the bug, and I sent you an explanation, and a fix. And we’re not just guessing either, its actually in the Adobe Flash docs.

  40. Ronald van den Heetkamp Says:

    @beating no-script

    It’s still possible to execute internal Javascript with or without no-script, because it has a higher priority/permission than the extensions, but of course I’m not going to to tell anyone how to do this. It can be done, that is for sure. So no eart shaking discoveries being made here.

  41. Giorgio Maone Says:

    @Ronald

    Hum… “It’s still possible to execute internal Javascript with or without no-script”

    1. You should define “internal JavaScript” first. Of course there’s a lot of JavaScript running in Firefox notwithstanding NoScript, because most of the browser is written in JavaScript (e.g. chrome: scripts). On the other hand, there’s nothing like “a higher priority/permission than the extensions”, as the extensions are virtually indistinguishable from the browser itself, from a “power” standpoint. The main business of NoScript is preventing JavaScript from running on untrusted sites, not blocking the “good JavaScript” in the browser internals. So you leave me very curious about what you’re meaning…

    2. “I’m not going to tell anyone how to do this” — I’m sure you won’t, but if you really had anything worth and dangerous you would better tell to the one who can fix it (or know if it cannot be fixed), i.e. me :)

    3. “It can be done, that is for sure” — again, what exactly? No one here claimed to have discovered a method to bypass the script security manager, i.e. to run JavaScript on an untrusted site. What Sirdarckcat and kuza55 did has been bypassing the anti-XSS filter in an edge case, i.e. exploiting a vulnerable Flash movie which kindly executed any JavaScript passed on the query string, with no need of HTML injection and yet having to use an extraordinarily clever XSS vector (which, BTW, cannot work anymore in latest NoScript releases). Ultimately, the JavaScript code got executed on ha.ckers.org only if ha.ckers.org was already in your whitelist, i.e. if both JavaScript and Flash were allowed by NoScript, and if the whitelisted site contained an unusually vulnerable spot (xss.swf) as it did. No “internal JavaScript”, no “higher priority/permission” and, of course, no “earth shacking discoveries” here… have you got any?

  42. RoboHelp Programmer Says:

    Sounds like the students were testing the teacher…

    …and failed.

  43. Ronald van den Heetkamp Says:

    That is where the contradiction and the answer lies. You give the answer yourself Giorgio, because it’s based upon Javascript, and cannot be turned of.

    This is a good example: http://www.0×000000.com/?i=434

    But then again I might have dreamt this some night… a lot is going on in my head at night ;)

  44. Ronald van den Heetkamp Says:

    BTW: permission IS an issue in the example above, since it just executes internally. I respect your work at Mozilla, but I thought you knew these things better than me. :P

  45. digi7al64 Says:

    my only comment is that if wordpress (and in fact all developers) implemented unique urls for adminstration then this type of attack would have not been possible as the attacker(s) would not know the url to make the attack upon.

  46. kuza55 Says:

    @digi7al64:
    Yes and no.

    Since you couldn’t have any links to the admin pages, since it would be entirely feasible to just follow the links. So while having random URLs for the admin pages, would stop this, even one static URL with a link would compromise the solution

    And that would mean the user would have to remember (or bookmark) the page, which isn’t very attractive once you realise that the user could forget, or accidentally delete the bookmark, and if its on someone else’s server (e.g. getting hosted by wordpress.com), that’s going to be a problem.

    You might get around this by letting users pick their own, but then we’d probably only need to do a dictionary attack on most sites to succeed, so while it would help in the case of a user using a good ‘password’ in the URL, its yet another thing for them to remember.

    And really, is it worth it, forcing users to remember what is really yet another password?

    P.S. I don’t know the answer to that question.

  47. digi7al64 Says:

    You raise some valid points kuza55.

    Therefore the feature should be implemented into the codestream and then made optional.

    I would also suggest that the actual login url could remain constant whilst the posting url is constantly dynamic… but then again you could also implement a simple csrf token to stop the attack (not withstanding that the xss on ckers.org would have made this “token” useless anyways)

    So, whilst it isn’t a perfect solution it is another layer of protection and 1 i will be implementing very shortly into my own project.

  48. Sid Says:

    My forum has the admin panel in a non-standard location. Haven’t had a single attempted log in attempt by a non-admin since the move.

  49. Acidus Says:

    There certainly is something to be said about tone and intent. Its cool to have some fun but nobody needs to be a dick about it.

    Do you implement a disclosure policy? Some kind of R*Policy? :-)

    How should someone go about reporting vulns in your website? Perhaps this is good example of how not to disclose a vuln? Either way, good fodder for the WASC/OWASP conference panel.

  50. Giorgio Maone Says:

    @Ronald:
    I must be too much old or too much stressed this days, but I just can’t understand what you mean with your xn--0000000-6ta.com IDN and your “internal execution” mantra.

    Feel free to explain here or by private email — I’ll sign a NDA if you’ve got some trade secret to keep ;)

  51. sirdarckcat Says:

    Sid & digi7al64:
    in either cases we “could” be able to get the path to the admin panel checking the referrer (since the comments get aprooved from the admin panel), so hiding the path to the panel is not a good security practice.

  52. Spikeman Says:

    sirdarckcat:

    I agree that it’s fairly useless security-wise but I can see the benefits. It would cut down on wasted bandwidth from automated attack bots and lame people trying to guess admin passwords.

  53. Tim Says:

    I would hope that this would not stop you from posting on your site. I love your page and the content is really helpful in my dayjob. I do security work for a living and focus on applicaiton testing and pentesting for a living. You post things out here that helps me when I need a boost in a direction.

    Please, do not let a couple of noobs shut you down.

  54. digi7al64 Says:

    sirdarkcat:

    there are many ways to strip the referrer, so again this should be implemented into the codesteam and then made optional.
    Thus, with the exception of images etc in the actual content being approved (which we could obtain the url from) there is no other way to determine the correct url and the attack is rendered useless.

    Also, hiding the path is a good practice, its another layer to the security model and as I always say, security is layers… and as we all know, you put enough layers on and they can never get to the panties!

  55. Kill the Wannbes Says:

    I think this wannabes (because they are neither elite or even a hackers just couple of wannbes with great JS knowloedge) should be in the wall of shame.

    also Security through obscurity is not security, even you are triyng to make look good through saying that this type of security is a actual layer, i think this actually not a layer its just a a way to make the things hard…

  56. Ronald van den Heetkamp Says:

    My bet is to nuke traffic that doesn’t behave itself, like crashing browsers automatically, untill they are sick and tired of rebooting al the time, waring them down :)

    @Giorgio, it’s all in that article if closely read. I can’t see how you could protect against it with NoScript, cause like I said, it executes in another context. ;)

  57. MustLive Says:

    It was interesting and dramatic incident.

    It’s good that everything is finished. And you all are living in peace and happiness. Try to be friends.

    Guys, better not try to hack this site :-). RSnake is nice guy and this is nice site. From which I’m always waiting for good content.

  58. vartismz Says:

    so there they go>>> another two bites the dust…
    they deserve what they have right now (a sigh….i think)
    Just continue what you do best man…

  59. digi7al64 Says:

    @Kill the Wannbes

    essentially, your mindset is why web security is a joke. rather then implementing another obstacle, you simply brand it as making things hard and don’t (like most other devs).

    As for the “Security through obscurity” argument, its not the only solution but it is part of the toolbox and for you to ignore its benefits either makes you incredibly stupid or incredibly dumb (perhaps you should google “NSA - Secure Operating System Development” to determine if you think it is still a silly idea)

  60. Mephisto Says:

    Personally, I think it was an irresponsible thing to do. 1) RSnake is well known in the security industry 2) He has a business (sectheory.com) to run.

    What was the intent of doing this? To me, and possibly others, it just appears as an attempt to discredit RSnake’s reputation. Not only are you hurting his reputation in the industry, but you’re also targeting the way in which he makes a living.

  61. sirdarckcat Says:

    Kill the wannbes:
    The hack wasnt just about javascript..

    Mephisto:
    I didn’t knew rsnake had a company, I thought this could be a simple joke.. this has been explained a hundred times..

    The complete description of the attack is here:

    http://sirdarckcat.blogspot.com/2007/11/inside-history-of-hacking-rsnake-for.html

    Greetz!!

  62. Silva D Says:

    Fuck em! They tried but they proved their just script k1dd13z after all

  63. RSnake Says:

    sirdarckcat, on your blog post you said “The only thing the exploit required was that rsnake had ha.ckers.org white-listed on NoScript, but it didn’t succeed for that only reason.” That is an incorrect statement. There were actually several reasons it failed, but I am now compelled to keep the information on why it failed a secret for reasons that should be obvious.

  64. sirdarckcat Says:

    Ok, correction

    “The only thing the exploit required was that rsnake had ha.ckers.org white-listed on NoScript, but it didn’t succeed for that and some other secret reasons.”

    :P Greetz!!

  65. Drazen Drazic Says:

    I think a lesson has been learnt by the guys and that is key. They’ve acknowledged their wrongs so lets support them. I don’t think they understood the implications of what they did. So this should be a lesson to everyone else coming up through the ranks so to speak. …..ie; you won’t impress the old heads with BS like this.

    We have so many young guys coming up in the industry and we need to support them but we need to ensure they know that the glory days are over and hacking for fun now means bad jail time.

    You silly idiots, we saw dudes this week cop 20 years and while you were playing around, if the boss (of this blog) here so chose, you could be in trouble…….ie; big trouble!

    DD

  66. Stefan Esser Says:

    Good Morning,

    I was just pointed to this thread and have to comment on the lies of Ronald van den Heetkamp.

    @Ronald:
    First of all you closed the comments on your site simply because some people (including me) demonstrated that your URL field is vulnerable to several URLs like javascript:alert(1);
    So you had XSS vulnerabilities in your OWN CODE.
    It doesn’t matter that maybe you had a blacklist in place to catch other more serious attacks. You FAILED to have proper output santitisation in place. And it doesn’t matter that your site has nothing of value on it. It was code YOU wrote and YOU failed to secure it.

    Secondly you did never ever show a vulnerability in my code. When I showed that GNUCITIZEN CSRF tool is vulnerable to XSS the whole GNUCITIZEN family came after my sites and came up with 2 XSS vulnerabilities. 1 in a template of Papaya and 1 in the PHP forum software I use. Both applications not written by myself with multiple thousand lines of code. Maybe in your limited mind this makes me a dumbass but in the real world people know that one has to rely on 3rd party code and that means that sometimes you will be fucked by other peoples mistakes. On a real site it is not possible to audit every line of code.

    @kuza55:
    There is a huge difference between informing people how some so called security experts put vulnerabilities in TEN lines of code and your attempt to hack rsnake’s site.

  67. Reinis Says:

    I don’t like this, because RSnake wasn’t open enough about it — for instance, he didn’t post the entire payload, but only a short snippet that the authors claim was meant as humorous, and he definitely framed the attempted hack in a non-charitable way, as the other side’s response proves. I’m also surprised by him relying on security through obscurity (”for reasons that should be obvious”), because that’s not what I’d expect from a security expert. I think he should explain why the hack failed, so other people could learn and benefit from that.

  68. RSnake Says:

    @Reinis - I’m not sure what you mean - I gave out the link, there’s no reason anyone interested couldn’t go and download it and investigate to their heart’s content (as a number of people did). I, in no way, attempted to hide what was said, but I absolutely wasn’t going to post their diatribe on my site. I can’t see how you’d be upset about me not posting something that was meant to be humorous before I knew that fact (especially given the ultra subversive nature of that attempted hack).

    Also, I didn’t rely on security through obscurity. It was actually totally bullet proof (just too close for comfort). You are making bad assumptions, as was sirdarckcat. But given the fact that people seem to be more interested in hacking this site, I don’t feel like it provides me any value to explain in gory detail why something failed. The last time I gave out any information about my security (the fact I used noscript) it was used against me. If that means you don’t trust me, because I’m not giving you my passwords so you can come in and rummage around my site looking at every function for vulnerabilities, so be it.

    But just for the record, I don’t tell the community about 50% of what I know. Why? Because some of it is either too dangerous to talk about, it’s hard to formulate in a way that most people would find valuable (IE: lots of people would spend more time debating it’s merits because they wouldn’t get it - see the XSS on gmodules for a glimpse into that kind of post that I ended up regretting talking about) or I’m under various NDA’s not to. Does that mean that this site is suddenly not worthwhile, just because I don’t express every thought in my head and talk about every security measure I’ve ever employed in every company and engagement I’ve ever been involved with for the last 12-13 years? Of course not, and you’d be silly to think otherwise.

    We’re security experts, the name of the game is secrets.

  69. Ronald van den Heetkamp Says:

    lol
    @stefan

    Yah, uri’s are vulnerabilities you are right.

    It also was allowed to enter “data:” scheme cause it would not matter. It is expected behaviour. Well: alert(1) should entitle you to a nobel prize I figured. I wasn’t vulnerable, I did allow the URL to be populate with anything on a 30 char limit. You really thought I didn’t know that? :) while forgetting that I found the same issues on E-bay loooong before, but that is a far different place to be “vulnerable”.

    Still you fixed your vulns didn’t you Stefan? I just pulled the plug of comments because 3 Germans where messing up my comments and spamming the database with crap that either doesn’t work, or is useless on my site.

    BTW I never called myself a security expert, don’t know where people got this impression, I’m only here for the fun of it. In the end everyone who has tried failed on the code I created. You were running a forum with signups and had the simplest of simplest XSS holes: echoing back PHP_SELF unsanitized.

    Which obvious led me to the conclusion that Suhosin does not facilitate to protect this, or you aren’t running it yourself. Who’s the PHP security expert here? not me, that’s obvious.

    So that’s about it for all the lies. ;)

  70. minority_hat Says:

    That is just plain lame, the message that was included with the payload speaks volumes about them. IF they had wanted to be proactive and still flex their *skill* they could have easily setup a payload to just upload a file with their name on it.. then TELL the owner of the board/site/server or whatever about the file and how they did it. Throwing insults and names just is a reflection of the perpetrators egos. They are probably some senior in high school who was picked on or someone in their middle ages unhappy with their life/job so they try and pick other people apart to make themselves feel better.
    Bravo gentleman, bravo…

  71. Jon A. Longoria Says:

    @RSnake

    These things unfortunately happen. People get impetuous with the free resources offered to them. Sometimes the opportunity is too great and their temptation consumes them, throwing out the window the basic elements of courteousy, trust and reasoning.

    We had the same thing take place in the 3rd iteration of the HNC Network interface in the early part of this decade, wherein individuals maliciously used a suite of online tools we had built for personal security scanning for more nefarious purposes, of which we got served several notices over threatening action.

    People don’t realize that sites like these aren’t run by multi-national corporate enterprises who have the resources to look the other way and therefore we have more to lose because of it. There is a code of ethics that has been lost on this generation, I find it appauling.

    @sirdarkcat & kuma55

    Wow, you fellows are mighty lucky RSnake is as understanding of an individual as he is. Regardless if it was a stunt for a quick laugh, he is well within the confines of the law to exercise his rights in prosecuting this; however, he has a heart and since of humour that provides great balance to his character.

    So the trust relationship took a hit because of this, but not just with him alone. You’ve got a task in restoring your credibility and relationship with this rest of this community. Best of luck.

  72. sirdarckcat Says:

    @Jon A. Longoria

    1.- You should read the whole post in here before giving your opinion.
    2.- We have friends on the community, ;) and afaik none of them is afraid of me.
    3.- I think that even if in the case the exploit succeeded, and rsnake made a lawsuit against us, since the exploit didn’t revealed secret information, and we didn’t gathered anything, we wouldn’t get 20 years..
    4.- Oh, and his name is “kuza55″, not kuma, and mine is “sirdarckcat”, not sirdarkcat ;)

    oh, and I agree with rsnake secret policy since we DID used the information about he using SafeHistory and NoScript to improove the attack.. so, I wouldnt tell anyone even which browser I use (bah, ok, I use IExplorer 6.0 xD (just as google wireless transcoder)).

  73. Jon A. Longoria Says:

    @sirdarckcat

    Mmm, my apologies, although mispelling a couple of names I am vaguely familiar with - what do you expect for a comment I wrote in the midst of a busy work day.

    It’d seem to be more beneficial for you to concentrate on the subject matter mentioned, since I believe it was fairly obvious I did review the commentary. However, this wasn’t directed at any other participants other than the three parties addressed. Any previous statements or opinions annotated above by outside parties are irrelevant to my direct communications at you, the recipients.

    Point being, and I’ll reiterate, you’re lucky… there was no malice intended in mentioning that of course with messages online, words lose the tone.

    In retrospect, I would think that your ordered list above is best used in establishing a personal plan on how not to potentially burn some bridges rather than presenting say a faulty lecture point regarding the inherent consequences of wire/communications fraud.

    Cheers.

  74. Jon A. Longoria Says:

    @Drazen Drazic

    Well said, I couldn’t agree more. Reiterating earlier comments I made, I think there is a standard of ethics that has been misplaced in these new generations of thinkers, enthusiasts and researchers.

    However, I don’t think that is necessarily their fault in all entirety - I believe those of us that have been around the block a few times have done a poor job of passing on those values, experiences or principles.

    We’ve failed to sustain a positive, productive mentoring relationship and to effectively convey the methodology in which situations like this should be addressed - so why should we expect anything less than a volatile community / industry?

  75. Edwin Morgan Says:

    RSnake,

    Sounds like you know a lot about web security, Javascript, xml etc..

    Please forgive me for this embarassing newbie question.

    I am a simple blog owner who has to cut and paste code provided by others with more XHTML experience. My Blog has been bogged down by a new Javascript code for a “comments under post hack”. Everything must wait for the ………….. ……………. java to load from , I am assuming an external server? Somewhere out in cyberspace?

    Is there a way to host the JAVA internally? Or host it on my website or some local server. I have contacted the script author and asked his permission, but I am not sure that what I am asking is even possible.

    I love the new comments under my post hack, but can’t bear to make people wait 10 seconds or more for people to see the page while it loads.

    This is not your typical post by your typical readers…..but I really need some help with this. E-mail me and I’ll send you to my Blog to enjoy an eternity while javascript loads.

    Thanks,

    Ed

  76. Star Says:

    I think that was really rude. I just found your site today and I’ve been reading up on things for a few hours now…I really have NO idea what any of it means, I’m not into any kind of programming or anything, but the stuff you’ve been writing about is really interesting. It makes me want to learn what all this stuff is about and if it wasn’t a joke, I think it was really rude of them to try that on you when you have such a great site here that’s so helpful to everyone…and if it WAS a joke, it wasn’t very funny. I’m glad it didn’t work :)