Domain: xssed.com
Stories and comments across the archive that link to xssed.com.
Comments · 8
-
Re:Fail.
It's only a security threat if you can't trust the site that the programs are originating from. Sure, this search engine *may* be able to dump a tracking code into their output and therefore break the TOR privacy[1], but you have to ask how likely to happen is this? And my answer: very unlikely.
Please. If you do not understand the fucking problem. Do the world a favor and shut the fuck up.
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf
http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
http://www.xssed.com/news/41/A_new_critical_Google_XSS_vulnerability_promptly_corrected/
http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
http://blogoscoped.com/archive/2007-09-28-n28.html
http://www.h-online.com/security/news/item/Google-fixes-cross-site-scripting-vulnerability-in-YouTube-comments-1032988.html
http://ibnlive.in.com/news/orkut-attacked-by-bom-sabado-worm/131714-11.html
http://www.geek-news.net/2010/09/twitter-hit-with-major-xss-hack.html
http://lynnepope.net/twitter-xss-attacks
http://nemesis.te-home.net/News/20090407_Metasploit_Decloaking_Engine_and_TOR.html
http://securityandthe.net/2008/12/23/finding-a-hidden-ip-address-just-got-easier/ -
An abomination when you're forced to upload
At least when people willingly store something on the cloud, it's their choice.
I was shocked to find out that my school required children to transmit and archive high school academic papers on to servers with known security issues.
Getting other parents to understand the stupidity was a real challenge.
"Your school is forcing your child to transmit (in an unsecure fashion) and store their private school work PERMANENTLY to a service that will archive it, and has fundamental security issues. Forever. With terms that say that the company licensed to use your paper for their business purposes (i.e. sell it). And you don't see an issue with that?"
My stance: If the principal and teachers are willing to upload their high school papers onto these servers with security issues for all to see, then I'll consider letting my child make their own choice in the matter.
-
Fake News on real sites such as CNN
Lots of sites have cross site scripting vulnerabilities, and news sites are one of them. CNN, Fox News, MSNBC and other local new sites, have the ability to inject HTML into the pages. So the domain still reads the sites original URL, but contains altered text. Dont believe me? http://xssed.com/ is a database oh sites that currently have such security hole. Take a look at common sites you use, and maybe demand these sites fix them.
-
XSS
there is a really good post on it here http://www.xssed.com/news/92/XSS_Iframe_injections_and_XMLHTTP_post_request_errors_on_McAfee_sites/ and http://www.xssed.com/archive/domain=mcafee.com shows sites in the past XSSable http://xssed.com/ keeps track of a lot of XSSed sites
-
XSS
there is a really good post on it here http://www.xssed.com/news/92/XSS_Iframe_injections_and_XMLHTTP_post_request_errors_on_McAfee_sites/ and http://www.xssed.com/archive/domain=mcafee.com shows sites in the past XSSable http://xssed.com/ keeps track of a lot of XSSed sites
-
XSS
there is a really good post on it here http://www.xssed.com/news/92/XSS_Iframe_injections_and_XMLHTTP_post_request_errors_on_McAfee_sites/ and http://www.xssed.com/archive/domain=mcafee.com shows sites in the past XSSable http://xssed.com/ keeps track of a lot of XSSed sites
-
Re:Good
Actually, ~50 % of websites tested in the past year by WhiteHat Security. It's the best metric we currently have for security flaws, as WhiteHat has many customers across quite a few industries, and they are all automatically retested over time. It has little to do with the browser targeted, and everything to do with the web frameworks used, the knowledge of the programmers, and the testing or lack thereof most websites get before deployment.
If you check xssed.com you'll see that near 100% of websites have had XSS vulnerabilities in the past.
-
Phishing detection by unique URL no longer works.
It's not really enough to just check the URL against some phishing database. The phishing sites now use unique URLs for each phish going out. Some even use unique subdomains. An example is http://onlinesession-949076872.natwest.com.nigy3r.cn.
We've been struggling with this for SiteTruth, which, among other things, uses PhishTank's data. Originally, we used PhishTank's online query API, but that required an exact match on the URL, which was useless. Now we download their entire database every few hours and blacklist the entire base domain (what you buy from a domain registrar) if there's a verified, active phishing site anywhere in the domain.
That seems reasonable enough. But there's collateral damage. So, most days, we have AOL, Microsoft Live, and Yahoo blacklisted. That's because those major sites have "open redirectors" - URLs which will redirect to any specified site. For example,
-
http://r.aol.com/cgi/redir?http://mgw1.haoyisheng.com/icons/asp.html
A convenient, easy to use redirection script popular with phishers. Provides a URL that appears to be on AOL, but isn't. Interestingly, AOL treats as spam any email that uses their own redirector URL. So it's only useful for attacking non-AOL users. -
http://login.live.com/logout.srf?ct=1179231565
&rver=4.0.1532.0&lc=1033&id=64855
&ru=http:%2F%2Fby117w.bay117.mail.live.com%2Fmail%2Flogout.aspx%3Fredirect%3Dtrue
%26logouturl%3Dhttp:%2F%2F62.49.9.117:443/HB.onlineserv.cgi/
The "logout" page for Microsoft Live can be abused, with some effort, to make it appear as if some hostile site is on Microsoft Live. This looks like Microsoft tried "security through obscurity" and failed. -
http://rds.yahoo.com/_ylt=A0Je5VTi9_RDDbAA3TJXNyoA;
_ylu=X3oDMTE2ZXYybGFuBGNvbG8DdwRsA1dTMQRwb3MDMQRzZWMDc3IEdnRpZANpMDIxXzQ3/SIG=15j5u6auo/
EXP=1140214114/**http://hticketing.com/www.bankofamerica.com/sslencrypt218bit/online_banking/
A Yahoo redirector URL intended to create the illusion of a Bank of America site. It may be possible to exploit this as a cross site scripting attack.
These were all active phishing sites an hour or two ago.
Yes, arguably the intelligent user should be able to visually parse the URLs above and realize that they're not really on the sites indicated. Or notice that a redirection took place. But most users don't notice that. Neither do many anti-phishing tools, especially if the attacker combines both techniques described above.
Phishing has reached the point that if you have an open redirector or proxy on your web site, someone will use it to borrow your reputation for their scam. Open redirectors are now like open mail relays - a nice Internet feature that had to be shut down because of exploits.
So fix those open redirectors, people, or expect to be listed as a phishing-friendly site.
-
http://r.aol.com/cgi/redir?http://mgw1.haoyisheng.com/icons/asp.html