Blogs

Cross Site Scripting with ChEF

Introduction

In this article I am going to explain about how you can use Cross-Site Scripting (XSS) vulnerability and how to exploit it in order to cause massive damage. Nah - I am just kidding! This article will be a short introduction to JavaScript and how XSS vulnerability could appear.

XSS is short for Cross-Site Scripting, but you probably might ask why the short term is not CSS instead. That's because CSS is already used for Cascade Style Sheets, a pre-existing language for defining styles for web pages, so using XSS will prevent confusion.

XSS is one of the most popular vulnerabilities today so it is important to learn how to prevent it. To illustrate, I found an interesting article where it describes what kind of damage XSS could do to users and to a web site. In the following link, you can see some examples of what an attacker could do with a XSS vulnerability: http://codeprofilers.com/tl_files/codeprofiler/pdf/cross_site_scripting_impact.pdf.

The following is a brief list of the potential damage that can be caused by XSS attacks:

stealing and continuing the session of the (authenticated) victim

manipulating files on the victim's computer or the network she has access to

recording all keystrokes the victim makes in a Web application and sending them to the hacker

stealing files from the attacked user's computer or the network she has access to

probing a company's intranet (where the victim is located) for further vulnerabilities

launching other attacks against systems the victim can reach with her browser (on the Intranet)

performing brute force password cracking through the attacked user's compromised browser

Amp Blasts: Newegg

Like always, these are my views and opinions and are protected by the SX usage policy.

I may take some nuclear shit for going after Newegg as most of us have used it to buy hardware at some point. For that matter, I will mention that I used this site to purchase my motherboard, processor, and ram as the deals were very good and the vendor warranties made these purchases can't miss. However, some recent issues that have come to light are those that I feel need to be mentioned. With that in mind, let's talk about a few of these.

First off, the Egg Saver shipping, is not good at all. The best example of this is that I am STILL waiting on Heart of the Swarm to arrive, which I pre-ordered and it shipped from less than TWO STATES AWAY. This item shipped out a week ago and this has become outright abysmal to where I will have to contend with their support over this should it not appear in the next couple of days. Seriously, if the shipping is egg saver, you're fucked.

Then there is the bigger issue at hand with regards to some of their deals as recently, Newegg is starting to push the horrific scam known as Mail In Rebates. I remember Circuit City doing this for quite a while, and they kept getting in trouble for it until they finally stopped it. There are countless sites that talk about how awful these are and I don't really want to go into detail. Suffice it to say, I refuse to hand over any money outside of advertised price, as such I consider a price mentioned with mail in rebate to be nothing but a load of bullshit.

The biggest issue at hand is how they wish to try to hit people with RMA costs even when it shouldn't happen. This practice is nothing short of dirty and only hurts the customer. If a piece of hardware is unsatisfactory or does not work as advertised, this charge should NEVER happen. This is the biggest reason why I've went for products that had warranties OUTSIDE of Newegg.

The day I finally listen to God

To and From Rocket

http://www.sandersweb.net/bible/verse.php

Psalm 30:11-12

11 You have turned for me my mourning into dancing;
you have loosed my sackcloth
and clothed me with gladness,
12 that my glory may sing your praise and not be silent.
O Lord my God, I will give thanks to you forever!

2013 Tuesday march 12th around 5:30 - 5:50 am
Yesterday i was crying in my chair. Today I was dancing in my chair for
understanding my errors in trading cannabis and means to defend myself,
conduct myself in a court room and so much more.

I wear a Soldierx shirt which represents freedom of knowledge. I am a
soldier online fighting a war for freedom of information. I have no victim
and my intent is true and honorable.

loosed past participle, past tense of loose (Verb)
Verb
Set free; release: "the hounds have been loosed".
Untie; unfasten: "the ropes were loosed".

sack·cloth (skklôth, -klth)
n.
1. Sacking.
2.

A rough cloth of camel's hair, goat hair, > hemp <, cotton, or flax

To and From Rocket

Mini-Review: Tunnelr VPN service

Recently, I did a blasts post about the six strikes policy. While it was changed to only go after public torrent sites, it does feel like more and more the monitoring and filtering is reaching a point where it is unacceptable. As a result, I decided to test out the Tunnelr VPN service at RaT's recommendation. Now for my usage I opted to go for the OpenVPN solution, but there are also SSH and PPTP tunnel services available through them. Overall, it is about what I expected in terms of the good and bad when using a tunnel service.

The good aspect is that on a wired connection, you get a consistently good connection so speeds should be close to your maximum. However, I can confirm that on Windows OpenVPN is MUCH slower on wireless so do take that into consideration. Another issue at hand is that as there are many people using these servers, there may be issues with users who may be using tunnel services for nefarious methods and google will block searching from whatever it considers to be nefarious or use a CAPCHA to confirm that you are a real user. Aside from this, I have had a pretty good experience with this service and would recommend it to people who want a good tunnel that focuses on anonymity but without having to spend a considerable amount of money.

Nvidia's TITANIC: Set up to sink!

Recently, Nvidia launched the TITAN videocard which is intended to be the end all, be all single GPU videocard which could have really helped give them an advantage over AMD. With rumors of the Radeon HD 8000 series being pushed back towards the end of the year, there are no new products in sight from that series. However, it was the handling of TITAN that doomed the videocard.

The basic reality is this, I mentioned in a blasts post that videocards going over $400 was madness. In the case of this videocard, it is $1000 which I find to be just outright stupid given the fact that performance for it is not as good as the Geforce GTX 690 videocard, a dual GPU card that is the same price. I know that the compute speed of this videocard is considered to be a noted improvement over the 600 series, but what's the point. If Nvidia is going to price they products so that they are almost guaranteed to fail then they shouldn't be surprised when they do.

Amp Blasts: Membrane Keyboards

I don't know what the hell is the deal, but in many cases it feels like the quality of computer peripherals has went backwards in recent years. While USB is great for mobile storage, it is a definite step backwards for game controllers due to the poll based nature having a delay whereas the interrupt based nature of Parallel ports and PS/2 ports did not have this. There is also the fact that sound in PCs went backwards due to the remove of hardware accelerated sound in Windows Vista and 7. (Oddly enough, Windows 8 actually brought this feature back so as much as I hate to say it, Microsoft did SOMETHING right with that release.) The biggest issue though is how in the past 20+ years we have actually went backwards with regard to keyboard quality.

Now, most people won't think of this and most people under 25 don't know this, but most keyboards from the 80s were mechanical by design. Mechanical keyboards used physical switches to determine if the key has been pressed. As a result of these switches, we would have a strong, tactile response given from them. However, mechanical keyboards are rather expensive, with the starting price for a good entry level solution being in the $90 range.

The overwhelming majority of keyboards that are used these days are membrane based keyboards. These types of keys require the key to be pressed completely down and are rather mushy by comparison. What makes this worse is that for people who have higher amounts of finger strength (Hi RaT!) they will die within 2-3 years. Furthermore, while they are rated for 5 million keystrokes on a key, they usually fall strongly short of that number, whereas mechanical keys are rated for 50 million keystrokes and the switches can be replaced on an individual basis with relative ease.

Amp Blasts: The Six Strikes Policy

Well, after years of misunderstanding how to utilize the internet so that rather than worry about piracy, they could make more money by using it as a tool to better serve potential customers, it seems that some companies finally got their way. The whining, moaning, bitching, and complaining done by the MPAA, RIAA, and numerous other entertainment companies now has us facing an imminent threat to our own security and privacy. There are many murmurs that at some point this month, the six strikes policy will go into effect with five of the largest ISPs. The truth of the matter though is that we need to show them that we won't tolerate this.

The basic fact of the matter is that the six strikes policy is broken as all hell. The truth is that some people will be deterred from using torrents to keep from being flagged. However, the MarkMonitor system used did falsely flag HBO's website for copyright infringement even though the content posted on the site was for its own shows. In light of this, I think that there will be some major instances of false flagging unless major improvements are made to the software.

What is of greater concern is the increasing loss of privacy. At what point did we agree to give ISPs the right to snoop to what we are using the internet for? Personally, I don't ever remember doing so and if they want to be little nibshits maybe I should start downloading goatse on an hourly basis so that if they do snoop they'll get the shock of their life! However, we need to make a statement to them that says we don't like being snooped on.

Breaching Hartnell's security

Well I thought it would be a pain in the ass to Succefully my teacher's computer, Got a slap on the wrist.
Now that I obtained The server's IP adress
:172.19.20.254(here you go)
I wonder what it is Their servers have nestled up in there.
Well,
Hails from Where im form
-Crhs

I really need help guys.

I want to register on this dating website but any time i enter they figure out my ip address and dont allow me acess. Can some one please help me out? I have tried using different ip address but yet still cant go through.

XSS & SQLI Vulnerability Detected

#XSS #SQLI Vulnerabilitys Detected By SkarY

ClustrMaps: http://goo.gl/GnRg2
WeatherNews: http://goo.gl/6FAi2
Web WorldCam: http://goo.gl/XzTAa
Ciudad Necochea: http://goo.gl/x9OQk
Teabas Omnibus: http://goo.gl/OS3tI
Universidad de Moron: http://goo.gl/5MGax
Colegio Numen: http://goo.gl/oqALd
Atacado Sà Paulo: http://goo.gl/sB2Bg
Consigo Som & Imagem: http://goo.gl/RfYn6
Semanario de Lujan: http://goo.gl/Bze9d
ToniTapies: http://goo.gl/eZhEK
Libros Preferidos: http://goo.gl/VPzyW
IRAM: http://goo.gl/uKILw
CIQyP: http://goo.gl/m41zT
Siuface: http://goo.gl/E1jhx
Gobierno BS.AS: http://goo.gl/mOH3X

Syndicate content