Don't enter!

Discuss the many weaknesses of browser security and ways to mitigate the threat

Don't enter!

Post by sanddbox on Wed Dec 16, 2009 10:59 pm
([msg=31483]see Don't enter![/msg])

Dammit, you entered. Just testing something.

Image

Yep, time for a bug report.

EDIT: Image replaced with something less malicious (if you can call it that) because I hate having to log in after visiting this thread.
Last edited by sanddbox on Wed Dec 16, 2009 11:41 pm, edited 2 times in total.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Don't enter!

Post by faazshift on Wed Dec 16, 2009 11:35 pm
([msg=31489]see Re: Don't enter![/msg])

Haha, awesome, it works! Probably the only way to disable this is for them to explicitly ban that url with image inclusion. Even at that, im sure there would still be a way to get around it. But some pretty annoying stuff could be done with this, like logging out of the forums on viewing or something, and some other much more annoying things I can think of. But, basically, it doesn't seem to me like much can be done.
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: Don't enter!

Post by sanddbox on Wed Dec 16, 2009 11:38 pm
([msg=31490]see Re: Don't enter![/msg])

To be honest, I hit 'preview' and knew it worked right then, but posted it anyway because I'm an egotistical bastard.

They just need to have the logout based on the session id like the forum.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Don't enter!

Post by myhexhax on Mon Dec 21, 2009 2:42 am
([msg=31629]see Re: Don't enter![/msg])

I wish I would've seen this before you took it down hehe.. I know what it did though. yay for CSRF.
gniripsni ewa si rehte eht morf cisum siht
myhexhax
Poster
Poster
 
Posts: 217
Joined: Tue Sep 16, 2008 2:19 pm
Location: Between the ether and the information superhighway
Blog: View Blog (0)


Re: Don't enter!

Post by sanddbox on Mon Dec 21, 2009 3:02 am
([msg=31630]see Re: Don't enter![/msg])

myhexhax wrote:I wish I would've seen this before you took it down hehe.. I know what it did though. yay for CSRF.

Wish granted.

Merry Christmas!

Images are awesome.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Don't enter!

Post by faazshift on Mon Dec 21, 2009 9:59 am
([msg=31634]see Re: Don't enter![/msg])

I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png (Image) in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: Don't enter!

Post by sanddbox on Tue Dec 22, 2009 2:29 am
([msg=31691]see Re: Don't enter![/msg])

faazshift wrote:I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png (Image) in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....

yep. it's very evil :D
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Don't enter!

Post by tgoe on Tue Dec 22, 2009 8:22 pm
([msg=31766]see Re: Don't enter![/msg])

faazshift wrote:I know, its awesome. I even thought of another creative use for this on saturday. I can just include a 1x1 transparent png (Image) in any post or signature, and I can log all the infoz in the request header, etc (date/time, ip, user agent, referer) to a special, secret file. Wonderful, wonderful stuffs! Firefox seems to be the most common browser, and windows the most common OS. Mwahahahaha.....


This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job :mrgreen:
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Don't enter!

Post by faazshift on Tue Dec 22, 2009 9:00 pm
([msg=31776]see Re: Don't enter![/msg])

tgoe wrote:This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job :mrgreen:

Nice. My log is already up at nearing 250 unique ip's (almost 700 lines in total). I seem to be about the only Gentoo Linux user (so far).
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: Don't enter!

Post by sanddbox on Tue Dec 22, 2009 9:04 pm
([msg=31777]see Re: Don't enter![/msg])

faazshift wrote:
tgoe wrote:This is actually how I collected most of the data for the map in
http://www.hackthissite.org/forums/viewtopic.php?f=33&t=2639

Which was inspired by
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1662&start=0

I didn't think of trying to force a logout the other way... d'oh
Good job :mrgreen:

Nice. My log is already up at nearing 250 unique ip's (almost 700 lines in total). I seem to be about the only Gentoo Linux user (so far).

Careful, your you-know-what is showing...

And here too...

I'm not exactly comfortable with my session id being publicly displayed...
ADBLOCK PLUS TIME!
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests