hiredhacker.com

w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

w3af is a great (and getting better) framework that I just decided to start contributing to. I want to get as much attention to these guys as possible as it has allot of potential to be a very impressive tool.

Hopefully I can set some time aside to actually start throwing some code at em and if you know python and have an interest in web application security, lend a hand! Its a great group of guys (and girls?) working on an exciting tool.

If you haven’t played with NotchUp.com yet, you should take a look. It seems like a very promising site. I mean come on, who wouldn’t want to get paid to interview for a job? If you think it’s all small companies for small money, it’s not. Facebook and Google are both very active, making offers between $500 and $2,500! No, they didn’t offer me $2,500, but they have to other people.

Check out these links:
http://notchup.com/?q=inbox/offers/view/36
http://notchup.com/?q=inbox/offers/view/37
http://notchup.com/?q=inbox/messages/select/145
NotchUp requires you to sign up and log in. e-Mail me if you need an invite.

For those who didn’t notice, you shouldn’t be able to read those. The folks over at NotchUp must have missed the security section of whatever book they read. They did however make it really easy to write a NotchUp worm. They even created a special field to store and execute your JavaScript in that they called ‘Profile’.

Sorry Sammy, I would rather have 1 million $500 offers than 1 million friends. ;)

WassUp is a new Wordpress plugin to track your visitors in real time. It has a very readable and fancy admin console to keep tracks of your blog’s users visits. It has a “current visitors online” view and a more detailed “visitors details” view where you can know almost everything your users are doing on your blog, it’s very useful for SEO or statistics maniacs. Now it comes with a new “Spy” view in Ajax like the Digg Spy.

The WassUp plugin contains multiple XSSing and SQL injection vulnerabilities. While version 1.4.1 fixed some of the issues, there is a good number still unpatched. I won’t go into details because with code like the snippet below (from spy.php) it won’t take you long to find them.


//Retrieve command-line arguments...
if (isset($_GET['to_date'])) $to_date = $_GET['to_date'];
else $to_date = wassup_get_time();
if (isset($_GET['from_date'])) $from_date = $_GET['from_date'];
else $from_date = ($to_date - 3);
if (isset($_GET['rows'])) $rows = $_GET['rows'];
else $rows = 999;
spyview($from_date,$to_date,$rows);


spyview() calls $wpdb->get_results() with out performing any filtering:

$qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine, urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND $to_date GROUP BY id ORDER BY max_timestamp DESC");

Regardless if the server uses magic_quotes or if the plugin is even activated, you can exploit the SQL injection on spy.php.

If that wasn’t bad enough, there is a persistent XSS when displaying tracked visitor data as they don’t filter the URL. That means just browsing the site and appending some script tags to the end of the URL, when the admin checks his visits it will execute.

On a positive note, version 1.4.1 does have SOME filtering being done mainly header data, and a few parameters but its still very bad and needs more work, but hey it’s pretty!

RSnake has started a ‘Diminutive XSS Worm Replication Contest’ and in doing so has sparked a really interesting thread on sla.ckers.org. Definitely worth the read and to keep an eye on.

I had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like:

http://autos.aol.com/
http://finance.aol.com/

To more serious domains like:

http://webmail.aol.com/ (need to be logged in)
https://account.login.aol.com/

To the really bad:

https://my.screenname.aol.com/

Access to all of AOL’s web services requires only 2 cookies, SNS_AA from aol.com, and SNS_SKWAT from screenname.aol.com. The only positive thing I ran into is the fact they require you to answer a security question to access account management functions.

Oh! I almost forgot, they also made a feeble attempt at blocking a select number of javascript functions and attributes. For example, this is blocked:

alert(document.cookie)

But this isn’t:

x=document;alert(x.cookie);