hiredhacker.com

I was looking over some of Mozilla’s XMLHTTPRequest code, and noticed this snippet at nsXMLHttpRequest.cpp:915

// Disallow HTTP/1.1 TRACE method (see bug 302489)
// and MS IIS equivalent TRACK (see bug 381264)
if (method.LowerCaseEqualsASCII("trace") ||
    method.LowerCaseEqualsASCII("track")) {
  return NS_ERROR_INVALID_ARG;
}

Which lead me to do:

var xhr = new XMLHttpRequest();
xhr.open('%trace', '/',false);
xhr.send('');
alert(xhr.responseText);

When I was testing I was using Paros proxy and strangely enough the request worked. Turns out Paros drops the % and sends it along. Does anyone know of any other proxies that behave similarly?

You can test it out here: method_bypass.html

Update: Depending on the logging level, Squid (and possibly others) will display all header information on some errors. The above request will be treated as an invalid request and as such will echo back everything.

I had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like:

http://autos.aol.com/
http://finance.aol.com/

To more serious domains like:

http://webmail.aol.com/ (need to be logged in)
https://account.login.aol.com/

To the really bad:

https://my.screenname.aol.com/

Access to all of AOL’s web services requires only 2 cookies, SNS_AA from aol.com, and SNS_SKWAT from screenname.aol.com. The only positive thing I ran into is the fact they require you to answer a security question to access account management functions.

Oh! I almost forgot, they also made a feeble attempt at blocking a select number of javascript functions and attributes. For example, this is blocked:

alert(document.cookie)

But this isn’t:

x=document;alert(x.cookie);

Maltego (formerly Evolution) is a great tool for examining relationships between entities (People, Domains, IP addresses, Files, etc). I first heard of Evolution during H.D. Moore’s and Valsmith’s ‘Tactical Exploitation’ talk (Paper, DefCon Video) at Blackhat 2007.

Maltego is available as a standalone Java application or a Web based application. If anyone is interested I archived a copy of the Evolution Beta 2 GUI.

Before I get into this post, I should give you a little background into what I do day-to-day. In a typical week I will do a large range of work mainly it revolves around reverse engineering, exploit development, vulnerability analysis, penetration testing, etc. The nature of my (and many other researchers in my shoes) work can create a very diversified work load each having different requirements and environments. With that in mind, for me, python is my language of choice. I have yet to hit a limitation with python that I haven’t been able to figure out a solution for.

This past weekend I was talking to an acquaintance of mine regarding reverse engineering, exploit and tool development, and similar subjects. It was an interesting talk until I told him that 99% of the time I am using python for everything with the other 1% being ASM (shellcode). That statement alone flipped a nice conversation into me getting told that I was wrong, that I must be an idiot because it was not possible to use a language such as python for what we were talking about. He then followed that up by basically saying python was ‘stupid’ and a waste of time. There are a few things that piss me off and 2 of them are people telling me I am an idiot and people bashing python. After I finished explaining to him how wrong he was, I got the idea to write this post and hopefully enlighten someone to the joy python can be when reverse engineering.

Read more…

It’s been a long time coming, but we are finally getting around to upgrading hiredhacker.com. Over the next week or two you will notice some small and not so small changes happening.