Extbasic 7

Learn how to do code review

Re: Extbasic 7

Post by AADude on Tue Jun 24, 2008 12:31 am
([msg=5631]see Re: Extbasic 7[/msg])

I have the code, I submitted it and it still doesn't work -.-.

I clean up the action and fix the method, but it still won't work...
AADude
New User
New User
 
Posts: 1
Joined: Mon Jun 23, 2008 8:35 pm
Blog: View Blog (0)


Re: Extbasic 7

Post by TWilli1777 on Fri Jun 27, 2008 12:26 am
([msg=5899]see Re: Extbasic 7[/msg])

Instead of everyone complaining about how they know what the answer is, but HTS is just too retarded to accept such advanced code... try to realize that obviously, something DOES work, as other people are getting it. I see so many people talking about all the things they are trying in order to fix the vuln... but the answer is NOT that complicated. Complex is NOT always better. Step back, look at what the mission is asking for, and think of the most simple way to get the right amount of sanitation. (Note: just because you have a favorite method does not mean it is the best method for every situation...) And, as for the bug... that should be easy enough to fix. If it isn't, review the basic missions.
TWilli1777
New User
New User
 
Posts: 5
Joined: Fri May 23, 2008 3:43 am
Blog: View Blog (0)


Re: Extbasic 7

Post by Kontagious on Sun Oct 19, 2008 7:30 am
([msg=13896]see Re: Extbasic 7[/msg])

I-MrKnox-I wrote:Okay... I got it!
God, this was lame, but anyways...

I hope it is not to much of a spoiler - if so, feel free to edit!

Posible spoiler:

There are many ways to sanitize PHP_SELF (assuming you all know this is the vuln) as you might know by now. However, most of the ways will sanitize a lot of "innocent" chars too. We do not want this to happen. Luckily there is an alternative which is very alike, but only sanitizes the most "dangerous" chars like '<', '>' and quotes. This is what we are looking for.


This challenge is definitely a tricky one...this is really the first time I've had to post for help. Though in a somewhat different way...

I totally agree with what the above quotation says, and I also want to quote a site posted in one of the other extbasic 7 threads, http://seancoates.com/xss-woes , because it helped me out immensely. I believe I have the correct idea on how to fix the problem, but implementing my fixes is my problem. I currently have selected one (uno [1]) function that (theoretically) will remove only the most dangerous characters from a selected string, variable, etc. (from [possible spoiler?] http://www.w3schools.com/PHP/php_ref_string.asp). The other bug is, if I'm thinking correctly, an easy one to fix ([possible spoiler?] I just followed the trends in the way data is sent/received in the script). Now when I combine them into a single line to correct the script, I am not rewarded with the ability to move on to the next lvl. I am assuming that the answer must be fairly specific, and I'm asking exactly how specific? Must I watch where I put spaces? Should I only input part of the line of code? Need I worry about my function's parameters? (I have, by the way, tried variations of my solution with and without appropriate parameters and so far it hasn't worked)

If there's anything I'm missing...any light that can be shed on this...it would be greatly appreciated. If need be, pm's work just fine.

*note: I have also employed the use of a semi-colon when trying different variations of my solution, but to no avail.

thank you for your time and patience :)
Kontagious
New User
New User
 
Posts: 3
Joined: Sun Oct 19, 2008 7:05 am
Blog: View Blog (0)


Re: Extbasic 7

Post by BAzly on Wed Nov 05, 2008 4:20 am
([msg=14516]see Re: Extbasic 7[/msg])

I believe that I have well and truly learned the lesson being taught here... I am 90% sure that the function I am trying to use to sanitize the vulnerability is correct... but it looks like the answer has to be "exact". I've tried including 1-3 arguments in the function, I've tried adding a semi-colon to the end... I've done upper and lower case... something is just not jiving here.

Can someone simply PM me what the "exact" string is" I can send you have I made myself and you can tell me how close it is.
BAzly
New User
New User
 
Posts: 2
Joined: Wed Nov 05, 2008 4:18 am
Blog: View Blog (0)


Re: Extbasic 7

Post by Kontagious on Mon Jun 01, 2009 10:31 am
([msg=24717]see Re: Extbasic 7[/msg])

BAzly wrote:I believe that I have well and truly learned the lesson being taught here... I am 90% sure that the function I am trying to use to sanitize the vulnerability is correct... but it looks like the answer has to be "exact".


I think that a larger lession may also be that the complexity of one's target could be for all practical purposes, infinite. There could be many different exact solutions...but to find the right one may take some digging. Passively I think I spent a good 16 hours total research time finding the solution to this problem. No, it's not broken...yes, it's a pain...but the sense of accomplishment (a.k.a. reward) for getting it right is nice :) keep pluggin' away, and look through some of the other posters' work...it'll definitely help out a bit.
Kontagious
New User
New User
 
Posts: 3
Joined: Sun Oct 19, 2008 7:05 am
Blog: View Blog (0)


Re: Extbasic 7

Post by McAfreak on Fri May 06, 2011 11:26 am
([msg=57087]see Re: Extbasic 7[/msg])

I think another reason that only one of the dozens of solutions works is that they're training you for real life. Yes, if there are dozens of solutions, chances are most of them work. I'm not saying this is a literal example, because it isn't. I'm saying that it's a theoretical example. It's very rare that you will do the right thing when trying to break or solve something on the very first try. As a software tester, I know just how many ways there are to approach things, many of which I wouldn't have thought of, but revealed bugs or vulnerabilities nonetheless, while other solutions did not reveal the same things.

Simply put, if you can't be patient with this, you're not gonna be patient with real life, and therefore will fail.

Though I must admit this mission is becoming a pain, but I am doing plenty of research.

Kontagious wrote:I totally agree with what the above quotation says, and I also want to quote a site posted in one of the other extbasic 7 threads, http://seancoates.com/xss-woes , because it helped me out immensely. I believe I have the correct idea on how to fix the problem, but implementing my fixes is my problem. I currently have selected one (uno [1]) function that (theoretically) will remove only the most dangerous characters from a selected string, variable, etc. (from [possible spoiler?] http://www.w3schools.com/PHP/php_ref_string.asp).


These sites are a good place to start.
Murphy's Law: There is always one more bug.
User avatar
McAfreak
New User
New User
 
Posts: 6
Joined: Sun Feb 06, 2011 2:49 pm
Location: Aperture Science
Blog: View Blog (0)


Previous

Return to Extended Basics

Who is online

Users browsing this forum: No registered users and 0 guests

cron