amix
shares
Plurk XSS hacking challenge: hack Plurk, get a hacker badge and +5 in karma ( reports should be private and sent to [email protected] )
Only plurker's friends can respond
latest #194
common XSS techniques used can be found on: ha.ckers.org/xss.html
cool 
a tip: generally, i think most XSS issues should be solved - so you must be pretty creative
aw, should've learned some black hat hacking stuff, I like badges :/
@Kent
wonders
@Kent
will
patiently wait for that fix ^_^
If you've got a standard issue XSS protection toolkit in place, we're probably screwed unless we know of an edge case in that library
kentfredric: we have a XSS lib in place, but i don't think we are XSS free yet...
earlier today we found an issue on www.plurk.com/search
@Kent
wonders
if python has perl-style "taint" support
Schwarz
says
perls 'taint' is a really bad hack that downgrades performance heavily
Schwarz
says
It doesn't even provide any guarantees
alvin
says
Schwarz
says
I hope no other system ever implements something like that...
it doesn't produces any guarantees, no, but it at least makes detecting sanitized throughput possible.
Schwarz
says
no, it doesn't really. In many cases unsanitized output will show up sanitized
Schwarz
says
For example the reg exp support is completely unsafe
Schwarz
says
And that is pretty much what you do all the time in perl
last I checked regex doesn't mark tainted stuff as untainted.
Schwarz
says
It will only give you false confidence...
Schwarz
says
Things pulled out of a reg exp is maked untained
Schwarz
says
And that is the way tainted data should be converted to untainted
ah, so it does. Thats pesky.
its just too easy to use "*" as an expression part to make it unsafe
Schwarz
says
yes
Schwarz
says
and to my knowledge that is typically how perl programs are vulnerable to XSS...
@Kent
wants
to request a mode where regexing doesn't auto untaint things.
amix
thinks
doing XSS checks is unfortunately really hard - especially since a lot of attacks are fueled by browser bugs
true true, the best way to check it automatically would be something that can emulate browser bugs and detect the safeness of them.
but that's a real mission
@Kent
thinks
testing for XSS safeness should be unit-testable
kentfredric: i don't think there's an automated tool that can guarantee 100% security
use Test::XSS ; is_safe( $str , Test::XSS::Attack_Family ) or something would be cool.
yeah, but it would be nice if there were some sort of intelligent library that could exist and people could just use for testing
and even some of the biggest web applications (like Gmail) has/have had XSS issues
tveon
is
quite certain such a guarantee is beyond decidability...
then when a new exploit style was detected it could be integrated into the library, people could update, and the world would be safer
notes that the "sprintf" c-family of vulnerabilities eventually have died out
Schwarz
says
But it is easy to define a simple type system with a taint and an untaint type
Schwarz
says
You could combine that with a language engine for reg exps and have something relatively precise
tveon
says
schwarz: Popularly speaking, yes. I still remember most of what I learned in Software Verification - including CQual...
Schwarz
says
Kent: The bottom line is that you do not want to check for an unlimited number of things on rumtime
Schwarz
says
You don't need something that complicated, since you only have 2 modes
Schwarz
says
And basically you can only go one way, namely tainted -> untainted
Schwarz
says
The complicated part would be to define the tranfer functions for regular expressions
Schwarz
says
Which are really only regular by name in Perl
Schwarz
says
Those transfer functions would depend on the output language you want to avoid xss in...
especially since you need to guarantee security over large number of browsers and both in JS, HTML and CSS
i mean, stuff like this
`¼script¾alert(¢XSS¢)¼/script¾` is an XSS injection
Schwarz
says
yes, but that means you need to have a clear definition of what XSS is
Schwarz
says
You need that no matter what solution you try to create...
Schwarz
says
I am not saying that the solution I cooked up is a perfect one but it is light years better that the hacky perl feature...
www.plurk.com/p/mrva5 # this is not an exploit, but its a possible evidence of a weak point. Could be possibly abused by somebody.
Schwarz
says
It is in no way evidence of a weak point
Schwarz
says
xml output generation is tricky but the only think invalid HTML can cause is the browsers to render it wrongly
its hard to differentiate between coder forgetfulness, and a sanitizer/stripper process going wrong and misbehaving.
I've seen bad sanitizers break and insert stuff or over-cut data in ways that could have created attack vectors before.
GhettoWebmaster
wants
to trade his Plus 5 in Karma for a Bag of Holding. 
What's to stop the hacker from just owning Plurk?
thanks for reporting that issue GhettoWebmaster, we'll give you +5 karma and a hacker badge later tonight. good job
bunneh
says
awesome. meanwhile over at twitter i see that they are having some XSS troubles
Schwarz
says
hmm, maybe I should try and get the hacker badge too
Schwarz
says
That is very hard to do indeed
Schwarz
says
but considering the input complexity of plurk there has been an impressively small amount of problems
GhettoWebmaster
thinks
the "impressively small amount of problems" is directly related to current market share / traffic.
also thinks that Plurk is being smat about taking care of issues before they get too big. Huge traffic + XSS = huge issues / bad PR.
smat = smart
"don't think we have solved all our XSS issues yet" I doubt that most sites have. That's a very tall order to fill.
Mr. Love
says
that was pretty cool!
I'm just relaying a message here: A pro hacker friend says that the reward is too unalluring & he prefers U$500 to +5 karma points.
I don't think any of my friends who do system security stuff would spend the time it takes for 5 karma points.
S/he could probably use that equal amount of time or less on plurking and earn 5 karma points.
tveon
says
besides - the challenge got the Plurk community involved in protecting what we love 
tveon Yet, but the quality of feedback you get also depends on how much you seem to value or want that feedback. Quality HR is rarely free.
tveon Frankly, Plurk is too young for its users to be passionately in love with it. Uncomfortable truth of the day? Um.
The service of guy who's saying $500 instead of 5+ karma usually costs much more. It's like a 90% discount & costs nothing if it's not done.
nign: not everything should be done for $$$ - there's also a thing called respect, that's probably more worth than money
and if you look around and see great hackers/coders you'll see that they aren't motivated by money
that's why you see that most of the development stack currently used is open source and Free
so no, this wasn't really targeted at your money-making friend, but hackers that get a kick out of finding security exploits
me doesn't really care for money apart from "Do I have enough to cover my expenses and do things fun occasionally", once those are covered
anything is hackable ( context of hacker =~ person who 'hacks' code , not "cracker" )
armorize_wayne: great, thank you
Allen Own
says
armorize_wayne: Please don't attack plurk!! Your employee sunwhite is attacking everyone!!!!!!
PogiProblems
says
is this still on going? 
PogiProblems
says
oh well thanx. does one xss will do for the badge?
PogiProblems
says
sure 
Renzo
says
can't inderstand. how?
Renzo
says
undertsand*
PogiProblems
says
amix: i just sent 1
PogiProblems
says
amix: i just sent 1
PogiProblems
wants
to trade it for the badge and karma
PogiProblems
says
amix: np
PogiProblems
asks
amix: can't i have the badge?
allenown: i am afraid i haven't received your latest report. could you re-send it to [email protected] thanks
PogiProblems
says
amix: thanx! ill be checking for other vulnerabilities too 
all other xss that i found was already filtered good job
ill be checking for other vulnerabilities too all other xss that i found was already filtered good job
bensonwu
is
Hi amix, I just found and sent you another 1 last night
armorize_wayne: thank you
don-don♥c:
says
how?
Mia2os
says
tell me how to do it
Leio Dungo
says
how do you do this?
推噗通知
says
[Trackback] 08tsu08basa08 在 這邊 引用到
Hi amix, I sent you an email about xss.
lol. help me karma
† akuma †
is
me too..
Does this really help?
can u give me a step by step instruction?
Leio Dungo
says
no response from this plurk post
☯ゆうき☯™
says
can someone teach step by step???
you dont say
says
I don't understand 
where can i learn that?
Leio Dungo
says
tveon: I see
can i find a link where i could learn that?
me too
tveon
says
please read the first responses...
how to use it pls?
how to use it?
phil ツ
wonders
how to use it??? 
shinnryuuga
needs
need badges
badgesss!
badges
❤ NEELIE !
says
can i have the badge ?
how to have a plurk hacker badge?
txtdaribayi
asks
how to get plurk hacker's badge ?
BiZzY_SkYe.28
says
me too.. i want that +5 karma wew??
|| dReL ||
says
amix how can i do that hack badge?
Amix i found 1. Is the hacker badge still good? sent u screenshots too
|| dReL ||
says
amix: how?
ERNN CABURN
says
Hack mo lang plurk.
|| dReL ||
says
ernndevoe: in what way?
ERNN CABURN
says
google xss
|| dReL ||
says
xss?? then?
ERNN CABURN
says
zzz
|| dReL ||
says
ernndevoe: huh?
can u pls teach me?
Ody Christian
says
Great 
how can i get badge.?
The_Rev
says
help me
vhin_07
says
pano hack.?
want to get badge
want to get badge
how can i get badge.? i want it.
email amix the script or email him a screenshot
Eedeh
wishes
I had a hacker badge, but it just wont happen.
aandreasts
wishes
wants to get badges