08-06-2008
| #1 (permalink) | |
 Resident USSRian        | Do You Trust The Link? Lets discuss this a little bit. You are a myspace user You LOVE your myspace account You WANT to make it look cooler and then one day, me-like sends you a link to a site that has the COOLEST myspace layout, you have ever seen.... do you open the link? can you resist the temptation of missing out on something? http://www.myspacelayoutspy.com/sear...4%3E&x=45&y=13  ---------------- And remember that great question that Pierre-Simon Laplace and Sir Isaac Newton, Andrei Markov and David Hilbert, Richard Feynman and Enrico Fermi, Albert Einstein and Edmund Halley did not come to ask throughout all of their dedication and work: "Who the hell is IMing me?"  This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.  | |
 | ||
|
08-06-2008
| #2 (permalink) | |
 Creating | Re: Do You Trust The Link? I couldn’t help myself, I had to see. Beside's I trust you. You Kazakhstany kook. ---------------- I do not know what I seem to the world, but to myself I appear to have been like a boy playing upon the seashore and diverting myself by now and then finding a smoother pebble or prettier shell than ordinary, while the great ocean of truth lay before me all undiscovered. - Sir Isaac Newton Last edited by Thunderbird; 08-06-2008 at 06:35 PM. | |
| | ||
|
08-06-2008
| #3 (permalink) | |
 Wedding Planner    Sponsor | Re: Do You Trust The Link? I always check the link of suspicious stuff. Normally, I would trust you to not steer me wrong, Alex. This post title sets off the alarms though.  So the link is: Code: http://www.myspacelayoutspy.com/search.php?cat=all&type=layouts& query=%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F %2F%6B%61%70%63%73%66%6F%72%64%2E%66%72%65%65%62 %6C%6F%67%2E%68%75%2F%46%69%6C%65%73%2F%62%61%7A %65%72%2F%72%6F%66%6C%2E%70%77%6E%74%2D%73%70%72 %61%79%2E%67%69%66%22%3E%3C%2F%69%6D%67%3E%3C%73 %63%72%69%70%74%3E%61%6C%65%72%74%20%28%22%59%6F %75%20%63%6F%75%6C%64%20%73%6F%20%68%61%76%65%20 %62%65%65%6E%20%70%77%6E%74%21%21%21%20%49%20%6D %65%61%6E%20%77%68%79%20%64%69%64%20%79%6F%75%20 %65%76%65%6E%20%63%6C%69%63%6B%20%74%68%69%73%3F %22%29%3B%3C%2F%73%63%72%69%70%74%3E&x=45&y=13  ---------------- Hypography Science Forums Moderator --- "There are no passengers on Spaceship Earth. We are all crew." - Marshall McLuhan "We must not forget that when radium was discovered no one knew that it would prove useful in hospitals. The work was one of pure science. And this is a proof that scientific work must not be considered from the point of view of the direct usefulness of it." - Marie Curie | |
| | ||
|
08-07-2008
| #4 (permalink) | |
| Resident USSRian | Re: Do You Trust The Link? Ok, so i should be more clear, this has nothing to do with you trusting me as the person who sends you this. The question is, would you trust a link for a legit website like that? T bird, i went out of my way to make sure that that was safe, the question is, if you saw this come from say a your friend's email, would you check the link and decode hex, or would you just blindly follow the link? Freezy, the link could also be written as: Code: http://www.myspacelayoutspy.com/search.php?cat=all&type=layouts&
query=
<img src="http://kapcsford.freeblog.hu/Files/bazer/rofl.pwnt-spray.gif">
</img>
<script>alert ("You could so have been pwnt!!!
I mean why did you even click this? ");
</script>&x=45&y=13
I imed the link to a friend of mine and he brought up an interesting point too. He said, that this seemingly juvenile play may not seem a serious problem for some people, and whether he sees all seriousness of the exploit, my demo may not quite convince people that this is a BIIG problem. So what can one do with an XSS exploit As you can see, i can insert arbitrary client-side code into the link, and have it execute. This allows one to firstly, get cookie cache on a particular system, which potentially alows them to now log into a particular account, without ever worrying about a password... and one can change the password, or other info to now overtake the account, well or in case of a social networking website, to fully deface the page... inserting an image is an obvious thing, but what if one inserted a MySpace login form, under the "Preview this theme on your page:", valid myspace logo, maybe a security note, and I guarantee that 9/10 people would willingly give away their login info and never even suspecting anything... that could have as easily been another webpage, where such a flaw would alow me to create a login page for that particular website, and once you hit the "log in" button, you would actually log in! Just that the person who sent you the link would still have your credentials... The amount of damage one can do with this vector is quite large, and varied, and yeah, while you get a nice "you got pwnt" message with the demo, it could be a lot more serious. ---------------- And remember that great question that Pierre-Simon Laplace and Sir Isaac Newton, Andrei Markov and David Hilbert, Richard Feynman and Enrico Fermi, Albert Einstein and Edmund Halley did not come to ask throughout all of their dedication and work: "Who the hell is IMing me?" This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. Last edited by alexander; 08-07-2008 at 06:45 AM. | |
| | ||
|
08-07-2008
| #5 (permalink) | |
| Wedding Planner Sponsor | Re: Do You Trust The Link? Thanks Alex, that's good to know.  For the people reading this wondering how to utilize this knowledge, I recommend practicing with Alex's hex. What I did was to copy and paste the hex (%3D%65%...) into Word and used the replace command to replace all of the "%" with ":". Next, go to this site and enter the new text into the hex field. Click on "HEX to ASCII" to reveal the code. So Alex, is it possible that one would only need to know certain strings to look for? If so, it should be possible to create an excel worksheet that checks a link against all potentially hazardous strings (such as 3c:73:63:72:69:70:74:3e). ---------------- Hypography Science Forums Moderator --- "There are no passengers on Spaceship Earth. We are all crew." - Marshall McLuhan "We must not forget that when radium was discovered no one knew that it would prove useful in hospitals. The work was one of pure science. And this is a proof that scientific work must not be considered from the point of view of the direct usefulness of it." - Marie Curie | |
| | ||
|
08-07-2008
| #6 (permalink) | |
 Ancora Imparo  Sponsor | Re: Do You Trust The Link? What is the exploit I dont get it.. when I hover over the link firefox showed me "......"You could so have been pwnt!!! I mean why did you even click this? "......" So I get the point and clicked it anyway  ---------------- Jay-qu ::Hypography Moderator of.. Chemistry, Physics & Mathematics, Astronomy & Cosmology, Space and Technology & gadgets Forums Einstein said that if quantum mechanics is right, then the world is crazy. Well, Einstein was right. The world is crazy. -Daniel Greenberger Physics Guides - Physics Resources and help | |
| | ||
|
08-07-2008
| #7 (permalink) | ||
| Resident USSRian | Re: Do You Trust The Link? firefox translates hex in urls to help users identify potentially bad links, they actually like security, and that's what i love about FF. not the case with internet exploder though... Quote:
Jay, you really dont think that myspacelayoutspy would have a page that will load that image and generate that popup, do you? ---------------- And remember that great question that Pierre-Simon Laplace and Sir Isaac Newton, Andrei Markov and David Hilbert, Richard Feynman and Enrico Fermi, Albert Einstein and Edmund Halley did not come to ask throughout all of their dedication and work: "Who the hell is IMing me?" This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. | ||
| | |||
|
08-07-2008
| #8 (permalink) | ||
| Resident USSRian | Re: Do You Trust The Link? Quote:
faster way to translate, is to just paste it into hex field here TRANSLATOR, BINARY and click decode You could probably use a link checker... anyone run new avg? they have a link checker, did my link check out as a potentially bad link? We could write an FF extension to do this too... ---------------- And remember that great question that Pierre-Simon Laplace and Sir Isaac Newton, Andrei Markov and David Hilbert, Richard Feynman and Enrico Fermi, Albert Einstein and Edmund Halley did not come to ask throughout all of their dedication and work: "Who the hell is IMing me?" This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. | ||
| | |||
|
08-07-2008
| #9 (permalink) | |
 Astounding Vision | Re: Do You Trust The Link? I clicked on it! eeeww, I feel so dirty and used, I think I'll take a shower....... I'll nevver trust again  ---------------- Michael Nuclear is the only real option! http://www.nuclearspace.com/Liberty_ship_menupg.aspx Who died and left you in charge? Captain Bipto! The early bird might get the worm but the second mouse gets the cheese! Life is the poetry of the universe. Love is the poetry of life. Over heard from a three year old, "Daddy why do my toes get sticky when I eat strawberry jam?" Never wrestle a troll. You both get dirty and the troll likes it  | |
| | ||
|
08-07-2008
| #10 (permalink) | |
| Resident USSRian | Re: Do You Trust The Link? Thank you moon, one more person who will practice safe sex... errr, i mean internet, safe interwebs... ---------------- And remember that great question that Pierre-Simon Laplace and Sir Isaac Newton, Andrei Markov and David Hilbert, Richard Feynman and Enrico Fermi, Albert Einstein and Edmund Halley did not come to ask throughout all of their dedication and work: "Who the hell is IMing me?" This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. | |
| | ||
 |
| Bookmarks |
| Tags |
| link, trust, xss |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How To: Link to us! | Tormod | Tutorials and How To's | 7 | 05-06-2008 05:24 PM |
| Just when you thought it was safe to trust NASA again. | TheFaithfulStone | Space | 5 | 06-01-2007 08:41 AM |
| A link between rain and magnetism? | C1ay | General Science News | 3 | 07-04-2006 11:15 AM |
| Fun Link | Tormod | Websites | 0 | 02-18-2003 04:18 AM |
All times are GMT -8. The time now is 04:27 PM.
