amix shares Plurk XSS hacking challenge: hack Plurk, get a hacker badge and +5 in karma ( reports should be priv

wonders

if his nickname counts or not, but doesn't think it does. amixkent, amix@amixkent #weird things.

Apr 05, 2009 - 02:49PM

will

patiently wait for that fix ^_^

Apr 05, 2009 - 02:51PM

If you've got a standard issue XSS protection toolkit in place, we're probably screwed unless we know of an edge case in that library

Apr 05, 2009 - 02:58PM

amix	kentfredric: we have a XSS lib in place, but i don't think we are XSS free yet...

Apr 05, 2009 - 02:58PM

amix	earlier today we found an issue on www.plurk.com/search

Apr 05, 2009 - 03:12PM

wonders

if python has perl-style "taint" support

Apr 05, 2009 - 03:41PM

says

perls 'taint' is a really bad hack that downgrades performance heavily

Apr 05, 2009 - 03:42PM

says

It doesn't even provide any guarantees

Apr 05, 2009 - 03:42PM

alvin

says

Apr 05, 2009 - 03:42PM

says

I hope no other system ever implements something like that...

Apr 05, 2009 - 03:45PM

it doesn't produces any guarantees, no, but it at least makes detecting sanitized throughput possible.

Apr 05, 2009 - 03:47PM

says

no, it doesn't really. In many cases unsanitized output will show up sanitized

Apr 05, 2009 - 03:47PM

says

For example the reg exp support is completely unsafe

Apr 05, 2009 - 03:48PM

says

And that is pretty much what you do all the time in perl

Apr 05, 2009 - 03:48PM

last I checked regex doesn't mark tainted stuff as untainted.

Apr 05, 2009 - 03:48PM

says

It will only give you false confidence...

Apr 05, 2009 - 03:49PM

says

Things pulled out of a reg exp is maked untained

Apr 05, 2009 - 03:49PM

says

And that is the way tainted data should be converted to untainted

Apr 05, 2009 - 03:50PM

ah, so it does. Thats pesky.

Apr 05, 2009 - 03:50PM

its just too easy to use "*" as an expression part to make it unsafe

Apr 05, 2009 - 03:50PM

says

yes

Apr 05, 2009 - 03:51PM

says

and to my knowledge that is typically how perl programs are vulnerable to XSS...

Apr 05, 2009 - 03:52PM

wants

to request a mode where regexing doesn't auto untaint things.

Apr 05, 2009 - 03:52PM

amix

thinks

doing XSS checks is unfortunately really hard - especially since a lot of attacks are fueled by browser bugs

Apr 05, 2009 - 03:53PM

true true, the best way to check it automatically would be something that can emulate browser bugs and detect the safeness of them.

Apr 05, 2009 - 03:53PM

but that's a real mission

Apr 05, 2009 - 03:53PM

thinks

testing for XSS safeness should be unit-testable

Apr 05, 2009 - 03:54PM

amix	kentfredric: i don't think there's an automated tool that can guarantee 100% security

Apr 05, 2009 - 03:54PM

use Test::XSS ; is_safe( $str , Test::XSS::Attack_Family ) or something would be cool.

Apr 05, 2009 - 03:55PM

yeah, but it would be nice if there were some sort of intelligent library that could exist and people could just use for testing

Apr 05, 2009 - 03:55PM

amix	and even some of the biggest web applications (like Gmail) has/have had XSS issues

Apr 05, 2009 - 03:55PM

quite certain such a guarantee is beyond decidability...

Apr 05, 2009 - 03:55PM

then when a new exploit style was detected it could be integrated into the library, people could update, and the world would be safer

Apr 05, 2009 - 03:56PM

says

tveon: Any interesting property is

Apr 05, 2009 - 03:56PM

notes that the "sprintf" c-family of vulnerabilities eventually have died out

Apr 05, 2009 - 03:56PM

says

But it is easy to define a simple type system with a taint and an untaint type

Apr 05, 2009 - 03:57PM

says

You could combine that with a language engine for reg exps and have something relatively precise

Apr 05, 2009 - 03:58PM

says

schwarz: Popularly speaking, yes. I still remember most of what I learned in Software Verification - including CQual...

Apr 05, 2009 - 03:58PM

says

Kent: The bottom line is that you do not want to check for an unlimited number of things on rumtime

Apr 05, 2009 - 03:58PM

says

You don't need something that complicated, since you only have 2 modes

Apr 05, 2009 - 03:59PM

says

And basically you can only go one way, namely tainted -> untainted

Apr 05, 2009 - 03:59PM

says

The complicated part would be to define the tranfer functions for regular expressions

Apr 05, 2009 - 03:59PM

says

Which are really only regular by name in Perl

Apr 05, 2009 - 04:00PM

amix	schwarz: i think the base case are simple, but it can quickly become very complicated

Apr 05, 2009 - 04:00PM

says

Those transfer functions would depend on the output language you want to avoid xss in...

Apr 05, 2009 - 04:00PM

amix	especially since you need to guarantee security over large number of browsers and both in JS, HTML and CSS

Apr 05, 2009 - 04:00PM

amix	i mean, stuff like this `¼script¾alert(¢XSS¢)¼/script¾` is an XSS injection

Apr 05, 2009 - 04:01PM

says

yes, but that means you need to have a clear definition of what XSS is

Apr 05, 2009 - 04:01PM

says

You need that no matter what solution you try to create...

Apr 05, 2009 - 04:02PM

says

I am not saying that the solution I cooked up is a perfect one but it is light years better that the hacky perl feature...

Apr 05, 2009 - 04:25PM

Xugu Madison

wonders

if we're restricted to XSS only?

Apr 05, 2009 - 04:31PM

amix	rnicoll: other vulnerabilities are welcomed as well

Apr 05, 2009 - 04:53PM

Xugu Madison

So far worst I've found is the error message for an unknown qualifier has a stray 'u': Unknown qualifier u'weeble'

Apr 05, 2009 - 08:48PM

www.plurk.com/p/mrva5 # this is not an exploit, but its a possible evidence of a weak point. Could be possibly abused by somebody.

Apr 05, 2009 - 11:01PM

says

It is in no way evidence of a weak point

Apr 05, 2009 - 11:02PM

says

xml output generation is tricky but the only think invalid HTML can cause is the browsers to render it wrongly

Apr 05, 2009 - 11:04PM

its hard to differentiate between coder forgetfulness, and a sanitizer/stripper process going wrong and misbehaving.

Apr 05, 2009 - 11:04PM

I've seen bad sanitizers break and insert stuff or over-cut data in ways that could have created attack vectors before.

Apr 06, 2009 - 09:17AM

wants

to trade his Plus 5 in Karma for a Bag of Holding.

Apr 06, 2009 - 09:21AM

R.K.	What's to stop the hacker from just owning Plurk?

Apr 12, 2009 - 09:17PM

amix	thanks for reporting that issue GhettoWebmaster, we'll give you +5 karma and a hacker badge later tonight. good job

Apr 12, 2009 - 09:43PM

bunneh

says

awesome. meanwhile over at twitter i see that they are having some XSS troubles

Apr 12, 2009 - 09:45PM

says

hmm, maybe I should try and get the hacker badge too

Apr 12, 2009 - 09:48PM

amix	schwarz: you are very welcome to do so, i don't think we have solved all our XSS issues yet

Apr 12, 2009 - 09:49PM

says

That is very hard to do indeed

Apr 12, 2009 - 09:50PM

says

but considering the input complexity of plurk there has been an impressively small amount of problems

Apr 13, 2009 - 02:00AM

thinks

the "impressively small amount of problems" is directly related to current market share / traffic.

Apr 13, 2009 - 02:01AM

also thinks that Plurk is being smat about taking care of issues before they get too big. Huge traffic + XSS = huge issues / bad PR.

Apr 13, 2009 - 02:01AM

smat = smart

Apr 13, 2009 - 02:03AM

"don't think we have solved all our XSS issues yet" I doubt that most sites have. That's a very tall order to fill.

Apr 13, 2009 - 07:14AM

says

that was pretty cool!

Apr 16, 2009 - 10:08AM

nign	I'm just relaying a message here: A pro hacker friend says that the reward is too unalluring & he prefers U$500 to +5 karma points.

Apr 16, 2009 - 10:10AM

nign	I don't think any of my friends who do system security stuff would spend the time it takes for 5 karma points.

Apr 16, 2009 - 10:11AM

nign	S/he could probably use that equal amount of time or less on plurking and earn 5 karma points.

Apr 16, 2009 - 10:18AM

says

nign plurking is not really a fulltime occupation...

Apr 16, 2009 - 10:21AM

says

besides - the challenge got the Plurk community involved in protecting what we love

Apr 16, 2009 - 10:24AM

nign	tveon Yet, but the quality of feedback you get also depends on how much you seem to value or want that feedback. Quality HR is rarely free.

Apr 16, 2009 - 10:26AM

nign	tveon Frankly, Plurk is too young for its users to be passionately in love with it. Uncomfortable truth of the day? Um.

Apr 16, 2009 - 10:28AM

nign	The service of guy who's saying $500 instead of 5+ karma usually costs much more. It's like a 90% discount & costs nothing if it's not done.

Apr 16, 2009 - 10:31AM

amix	nign: not everything should be done for $$$ - there's also a thing called respect, that's probably more worth than money

Apr 16, 2009 - 10:43AM

amix	and if you look around and see great hackers/coders you'll see that they aren't motivated by money

Apr 16, 2009 - 10:44AM

amix	that's why you see that most of the development stack currently used is open source and Free

Apr 16, 2009 - 10:45AM

amix	so no, this wasn't really targeted at your money-making friend, but hackers that get a kick out of finding security exploits

Apr 16, 2009 - 11:09AM

me doesn't really care for money apart from "Do I have enough to cover my expenses and do things fun occasionally", once those are covered

Apr 16, 2009 - 11:10AM

anything is hackable ( context of hacker =~ person who 'hacks' code , not "cracker" )

May 10, 2009 - 11:06AM

Wayne

says

amix check ur mail I gave another CSRF

May 10, 2009 - 11:57AM

amix	armorize_wayne: great, thank you

May 12, 2009 - 09:47AM

says

amix, sunwhite is attacking plurk. Please check it. Besides, I've mailed some other vulnerabilities and suggestions to you.

May 12, 2009 - 10:48AM

Minda

armorize_wayne: Please don't attack plurk!! Your employee sunwhite is attacking everyone!!!!!!

May 12, 2009 - 11:28AM

amix	allenown: thanks for the notification. we have banned sunwhite

Jun 19, 2009 - 06:31AM

says

is this still on going?

Jun 19, 2009 - 11:06AM

amix	cJei: yes it is

Jun 19, 2009 - 11:09AM

says

oh well thanx. does one xss will do for the badge?

Jun 19, 2009 - 11:13AM

amix	cJei: yes it will, just send it off to amix@amix.dk

Jun 19, 2009 - 11:16AM

says

sure

Jun 20, 2009 - 06:00AM

Renzo

says

can't inderstand. how?

Jun 20, 2009 - 06:00AM

Renzo

says

undertsand*

Jun 24, 2009 - 05:11AM

says

amix: i just sent 1

Jun 24, 2009 - 05:13AM

says

amix: i just sent 1

Jun 24, 2009 - 08:15AM

amix

says

cJei: received, thank you for the notification

Jun 24, 2009 - 09:00AM

amix : I've mailed another vulnerability these days.

Don't forget to check your mailbox

Jun 24, 2009 - 11:27AM

wants

to trade it for the badge and karma

Jun 24, 2009 - 11:28AM

says

amix: np

Jun 25, 2009 - 04:03AM

asks

amix: can't i have the badge?

Jun 27, 2009 - 03:51PM

amix	allenown: i am afraid i haven't received your latest report. could you re-send it to amix@amix.dk thanks

Jun 27, 2009 - 03:52PM

amix	cJei: your xss is fixed (will be deployed during today/tomorrow) and you have hacker badge

Jun 27, 2009 - 03:56PM

says

amix: thanx!

ill be checking for other vulnerabilities too

all other xss that i found was already filtered good job

Jun 27, 2009 - 05:56PM

amix: I re-sent it.

Jun 28, 2009 - 12:13AM

amix	allenown: thanks, i'll review it during tomorrow

Jul 05, 2009 - 02:44AM

walterman

says

Hi amix, I sent you an email about some additional xss

Jul 05, 2009 - 10:02AM

amix	walterman: thank you, i'll review it and some other reports during today/tomorrow

Jul 05, 2009 - 02:44PM

walterman

says

thanks amix!

Jul 06, 2009 - 07:46AM

bensonwu

Hi amix, I just found and sent you another 1 last night

Jul 06, 2009 - 07:27PM

Wayne

says

Hi amix, I sent you a private plurk

Jul 07, 2009 - 07:29PM

Wayne

says

Hi amix, another private plurk, please check thx

Jul 07, 2009 - 08:18PM

amix	armorize_wayne: thank you

Jul 16, 2009 - 01:57AM

推噗通知

says

[Trackback] SamShane 在這邊引用到

Aug 02, 2009 - 08:21AM

don-don♥c:

says

how?

Aug 02, 2009 - 12:38PM

Aug 16, 2009 - 06:18AM

Mia2os

says

tell me how to do it

Aug 19, 2009 - 01:54AM

says

how do you do this?

Aug 24, 2009 - 07:58AM

推噗通知

says

[Trackback] 08tsu08basa08 在這邊引用到

Oct 26, 2009 - 04:33AM

CCN	Hi amix, I sent you an email about xss.

Oct 26, 2009 - 11:02AM

amix	c1n: thanks, will take a look at it

Nov 15, 2009 - 05:53PM

amix: Hello, me again. I mailed another xss issue to you.

Dec 02, 2009 - 10:51AM

Sunny,이순규

lol. help me karma

Jan 11, 2010 - 04:03PM

me too..

Jan 11, 2010 - 04:13PM

丹尼爾	Does this really help?

Jan 11, 2010 - 04:20PM

can u give me a step by step instruction?

Jan 12, 2010 - 07:36AM

says

no response from this plurk post

Jan 12, 2010 - 09:48AM

☯ゆうき☯™

says

can someone teach step by step???

Jan 12, 2010 - 09:59AM

sorayuki, xern: No. If you're not experienced with IT security, this is not for you.

Jan 12, 2010 - 12:35PM

ekabrln

says

I don't understand

Jan 12, 2010 - 01:46PM

where can i learn that?

Jan 12, 2010 - 01:56PM

says

xern try a technical college or similar...

Jan 12, 2010 - 02:16PM

says

tveon: I see

Jan 12, 2010 - 02:20PM

can i find a link where i could learn that?

Jan 12, 2010 - 02:23PM

Jan 12, 2010 - 02:59PM

Jan 12, 2010 - 03:10PM

ae86fan

didn't understand

Jan 12, 2010 - 03:16PM

me too

Jan 12, 2010 - 03:18PM

Jan 12, 2010 - 04:27PM

says

please read the first responses...

Jan 19, 2010 - 02:32PM

ÐЯЄШ♥ХТІИЄ

how to use it pls?

Jan 29, 2010 - 07:53AM

L ™	how to use it?

Feb 03, 2010 - 10:56PM

phil ツ

wonders

how to use it???

Feb 19, 2010 - 06:23AM

shinnryuuga

needs

need badges

Mar 04, 2010 - 09:45PM

My heart. :)

badgesss!

Mar 05, 2010 - 02:47AM

badges

Mar 17, 2010 - 11:18AM

❤ NEELIE !

says

can i have the badge ?

Mar 25, 2010 - 09:36AM

tintinbernardo

how to have a plurk hacker badge?

Apr 02, 2010 - 07:45AM

nisababy

asks

how to get plurk hacker's badge ?

Apr 03, 2010 - 01:31PM

sayswho?

says

Dang, it's driving me crazy.

Apr 06, 2010 - 06:38PM

BiZzY_SkYe.28

says

me too.. i want that +5 karma wew??

Apr 11, 2010 - 05:21PM

Juice

says

how? i wanna know how!

May 01, 2010 - 06:36PM

says

amix how can i do that hack badge?

May 14, 2010 - 07:15AM

Amix i found 1. Is the hacker badge still good? sent u screenshots too

May 14, 2010 - 11:08AM

amix	ernndevoe: great find!

May 14, 2010 - 01:57PM

says

amix: how?

May 14, 2010 - 02:12PM

says

Hack mo lang plurk.

May 14, 2010 - 04:52PM

says

ernndevoe: in what way?

May 14, 2010 - 05:31PM

says

google xss

May 14, 2010 - 06:18PM

says

xss?? then?

May 15, 2010 - 02:48AM

says

zzz

May 15, 2010 - 09:37AM

says

ernndevoe: huh?

May 23, 2010 - 05:27AM

PaPa T

can u pls teach me?

Jun 05, 2010 - 03:20PM

Ody Christian

says

Great

Jul 23, 2010 - 10:59PM

vhin_07

how can i get badge.?

Jul 25, 2010 - 02:35AM

The_Rev

says

help me

Jul 25, 2010 - 04:31AM

vhin_07

says

pano hack.?

Aug 27, 2010 - 07:16AM

ngikngok37

want to get badge

Aug 27, 2010 - 07:16AM

ngikngok37

want to get badge

Oct 20, 2010 - 01:38PM

i just found a bug where should i post it?

Oct 20, 2010 - 01:48PM

says

unl33t: thank you

Oct 20, 2010 - 01:59PM

says

need help i can't send it :[

Oct 28, 2010 - 11:55AM

Pitze'

how can i get badge.? i want it.

Oct 28, 2010 - 03:31PM

says

i already sent it how can i get my badge?

Nov 21, 2010 - 10:45AM

i can't send the security bugs there's always an error

Nov 21, 2010 - 02:40PM

www.plurk.com/bobster_0153#

email amix the script or email him a screenshot

Dec 19, 2010 - 03:17AM

baabii

Jan 18, 2011 - 09:01PM

Eedeh

wishes

I had a hacker badge, but it just wont happen.

Jan 18, 2011 - 09:03PM

нужное_вписать

May 14, 2011 - 02:49AM

says

May 14, 2011 - 02:49AM

says

May 14, 2011 - 02:51AM

says

i lost my replies here

May 14, 2011 - 02:52AM

says

plurk.com/JhanGrimmie

May 14, 2011 - 02:53AM

twitter.com/DomoJhanKun31

says

May 14, 2011 - 02:53AM