cool
a tip: generally, i think most XSS issues should be solved - so you must be pretty creative
aw, should've learned some black hat hacking stuff, I like badges :/
@Kent
wonders 15 years ago
if his nickname counts or not, but doesn't think it does.
amixkent,
amix@amixkent #weird things.
patiently wait for that fix ^_^
If you've got a standard issue XSS protection toolkit in place, we're probably screwed unless we know of an edge case in that library
kentfredric: we have a XSS lib in place, but i don't think we are XSS free yet...
@Kent
wonders 15 years ago
if python has perl-style "taint" support
perls 'taint' is a really bad hack that downgrades performance heavily
It doesn't even provide any guarantees
I hope no other system ever implements something like that...
it doesn't produces any guarantees, no, but it at least makes detecting sanitized throughput possible.
no, it doesn't really. In many cases unsanitized output will show up sanitized
For example the reg exp support is completely unsafe
And that is pretty much what you do all the time in perl
last I checked regex doesn't mark tainted stuff as untainted.
It will only give you false confidence...
Things pulled out of a reg exp is maked untained
And that is the way tainted data should be converted to untainted
ah, so it does. Thats pesky.
its just too easy to use "*" as an expression part to make it unsafe
and to my knowledge that is typically how perl programs are vulnerable to XSS...
to request a mode where regexing doesn't auto untaint things.
doing XSS checks is unfortunately really hard - especially since a lot of attacks are fueled by browser bugs
true true, the best way to check it automatically would be something that can emulate browser bugs and detect the safeness of them.
but that's a real mission
@Kent
thinks 15 years ago
testing for XSS safeness should be unit-testable
kentfredric: i don't think there's an automated tool that can guarantee 100% security
use Test::XSS ; is_safe( $str , Test::XSS::Attack_Family ) or something would be cool.
yeah, but it would be nice if there were some sort of intelligent library that could exist and people could just use for testing
and even some of the biggest web applications (like Gmail) has/have had XSS issues
quite certain such a guarantee is beyond decidability...
then when a new exploit style was detected it could be integrated into the library, people could update, and the world would be safer
tveon: Any interesting property is
notes that the "sprintf" c-family of vulnerabilities eventually have died out
But it is easy to define a simple type system with a taint and an untaint type
You could combine that with a language engine for reg exps and have something relatively precise
schwarz: Popularly speaking, yes. I still remember most of what I learned in Software Verification - including CQual...
Kent: The bottom line is that you do not want to check for an unlimited number of things on rumtime
You don't need something that complicated, since you only have 2 modes
And basically you can only go one way, namely tainted -> untainted
The complicated part would be to define the tranfer functions for regular expressions
Which are really only regular by name in Perl
schwarz: i think the base case are simple, but it can quickly become very complicated
Those transfer functions would depend on the output language you want to avoid xss in...
especially since you need to guarantee security over large number of browsers and both in JS, HTML and CSS
i mean, stuff like this `¼script¾alert(¢XSS¢)¼/script¾`
is an XSS injection
yes, but that means you need to have a clear definition of what XSS is
You need that no matter what solution you try to create...
I am not saying that the solution I cooked up is a perfect one but it is light years better that the hacky perl feature...
rnicoll: other vulnerabilities are welcomed as well
www.plurk.com/p/mrva5 # this is not an exploit, but its a possible evidence of a weak point. Could be possibly abused by somebody.
It is in no way evidence of a weak point
xml output generation is tricky but the only think invalid HTML can cause is the browsers to render it wrongly
its hard to differentiate between coder forgetfulness, and a sanitizer/stripper process going wrong and misbehaving.
I've seen bad sanitizers break and insert stuff or over-cut data in ways that could have created attack vectors before.
to trade his Plus 5 in Karma for a Bag of Holding.
What's to stop the hacker from just owning Plurk?
thanks for reporting that issue
GhettoWebmaster, we'll give you +5 karma and a hacker badge later tonight. good job
awesome. meanwhile over at twitter i see that they are having some XSS troubles
hmm, maybe I should try and get the hacker badge too
schwarz: you are very welcome to do so, i don't think we have solved all our XSS issues yet
That is very hard to do indeed
but considering the input complexity of plurk there has been an impressively small amount of problems
the "impressively small amount of problems" is directly related to current market share / traffic.
also thinks that Plurk is being smat about taking care of issues before they get too big. Huge traffic + XSS = huge issues / bad PR.
"don't think we have solved all our XSS issues yet" I doubt that most sites have. That's a very tall order to fill.
that was pretty cool!
I'm just relaying a message here: A pro hacker friend says that the reward is too unalluring & he prefers U$500 to +5 karma points.
I don't think any of my friends who do system security stuff would spend the time it takes for 5 karma points.
S/he could probably use that equal amount of time or less on plurking and earn 5 karma points.
nign plurking is not really a fulltime occupation...
besides - the challenge got the Plurk community involved in protecting what we love
tveon Yet, but the quality of feedback you get also depends on how much you seem to value or want that feedback. Quality HR is rarely free.
tveon Frankly, Plurk is too young for its users to be passionately in love with it. Uncomfortable truth of the day? Um.
The service of guy who's saying $500 instead of 5+ karma usually costs much more. It's like a 90% discount & costs nothing if it's not done.
nign: not everything should be done for $$$ - there's also a thing called respect, that's probably more worth than money
and if you look around and see great hackers/coders you'll see that they aren't motivated by money
that's why you see that most of the development stack currently used is open source and Free
so no, this wasn't really targeted at your money-making friend, but hackers that get a kick out of finding security exploits
me doesn't really care for money apart from "Do I have enough to cover my expenses and do things fun occasionally", once those are covered
anything is hackable ( context of hacker =~ person who 'hacks' code , not "cracker" )
amix check ur mail I gave another CSRF
amix,
sunwhite is attacking plurk. Please check it. Besides, I've mailed some other vulnerabilities and suggestions to you.
allenown: thanks for the notification. we have banned sunwhite
is this still on going?
oh well thanx. does one xss will do for the badge?
sure
cJei: received, thank you for the notification
amix : I've mailed another vulnerability these days.
Don't forget to check your mailbox
to trade it for the badge and karma
amix: can't i have the badge?
cJei: your xss is fixed (will be deployed during today/tomorrow) and you have hacker badge
amix: thanx!
ill be checking for other vulnerabilities too
all other xss that i found was already filtered good job
allenown: thanks, i'll review it during tomorrow
Hi
amix, I sent you an email about some additional xss
walterman: thank you, i'll review it and some other reports during today/tomorrow
Hi amix, I just found and sent you another 1 last night
Hi
amix, I sent you a private plurk
Hi
amix, another private plurk, please check thx
tell me how to do it
Hi amix, I sent you an email about xss.
c1n: thanks, will take a look at it
amix: Hello, me again. I mailed another xss issue to you.
can u give me a step by step instruction?
no response from this plurk post
can someone teach step by step???
sorayuki,
xern: No. If you're not experienced with IT security, this is not for you.
I don't understand
xern try a technical college or similar...
can i find a link where i could learn that?
please read the first responses...
how to use it pls?
how to use it???
badgesss!
how to have a plurk hacker badge?
how to get plurk hacker's badge ?
me too.. i want that +5 karma wew??
amix how can i do that hack badge?
Amix i found 1. Is the hacker badge still good? sent u screenshots too
Great
how can i get badge.? i want it.
email amix the script or email him a screenshot
Eedeh
wishes 13 years ago
I had a hacker badge, but it just wont happen.