THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROMESEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page.
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups. XSS HUNTER IS NOW OPEN SOURCE XSS Hunter is Now Open Source – Here’s How to Set It Up! Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these
types of issues.
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROMESEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page.
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups. XSS HUNTER IS NOW OPEN SOURCE XSS Hunter is Now Open Source – Here’s How to Set It Up! Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these
types of issues.
VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough
THE HACKER BLOG
This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, we’ve shown that data entered into one part of a website, such as the account information panel, can lead to XSS on internal account-management panels.
FLOATING DOMAINS
Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System. The above image is taken from here and was taken by Steve Jurvetson.. EDIT: DigitalOcean seems to be getting a lot of flak from this post so I’d just like to point out that I feel DigitalOcean’s reaction in this case was entirely justified (they saw an anomaly and they put a stop to it). A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes CROSSDOMAIN.XML HACKING A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other
than its own
XSSLESS – AUTOMATIC XSS PAYLOAD GENERATOR – THE HACKER BLOG A Hacker's Blog of Unintended Use and Insomnia. xssless – Automatic XSS Payload Generator. After working with more and more complex Javascript payloads for XSS I realized that most of the work I was doing was unnecessary!
POISONING THE WELL
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS. This is the first part of a series of stories of compromising companies via blind cross-site scripting. RESPECT MY AUTHORITY Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target. In a past piece of research, we explored the issue of nameserver domains expiring allowing us to take over full control of a BUILDING AN RDIO FLASH CROSS-DOMAIN EXPLOIT WITH Building An Rdio Flash Cross-domain Exploit with FlashHTTPRequest (crossdomain.xml Security) Adobe Flash is no stranger to security issues, but this post isn’t about stack overflows, bypassing ASLR, or sandbox escaping – it’s about building practical exploits against poor use of crossdomain.xml.. For those unfamiliar with cross-domain policies in Flash, check out my previous post here. “I TOO LIKE TO LIVE DANGEROUSLY”, ACCIDENTALLY FINDING RCE “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies May 16, 2018. Reading time ~4 minutes
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
A Hacker's Blog of Unintended Use and Insomnia. Guatemala City, By Rigostar (Own work) , via Wikimedia Commons.. UPDATE: Guatemala has now patched this issue after I reached out to their DNS administrator (and with a super quick turnaround as well!) In search of new interesting high-impact DNS vulnerabilities I decided to take a look at the various top-level domains (TLDs) and TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999.
FLOATING DOMAINS
Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System. The above image is taken from here and was taken by Steve Jurvetson.. EDIT: DigitalOcean seems to be getting a lot of flak from this post so I’d just like to point out that I feel DigitalOcean’s reaction in this case was entirely justified (they saw an anomaly and they put a stop to it). VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is XSS HUNTER IS NOW OPEN SOURCE XSS Hunter is Now Open Source – Here’s How to Set It Up! Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these
types of issues.
A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes “I TOO LIKE TO LIVE DANGEROUSLY”, ACCIDENTALLY FINDING RCE “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies May 16, 2018. Reading time ~4 minutes
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
A Hacker's Blog of Unintended Use and Insomnia. Guatemala City, By Rigostar (Own work) , via Wikimedia Commons.. UPDATE: Guatemala has now patched this issue after I reached out to their DNS administrator (and with a super quick turnaround as well!) In search of new interesting high-impact DNS vulnerabilities I decided to take a look at the various top-level domains (TLDs) and TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999.
FLOATING DOMAINS
Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System. The above image is taken from here and was taken by Steve Jurvetson.. EDIT: DigitalOcean seems to be getting a lot of flak from this post so I’d just like to point out that I feel DigitalOcean’s reaction in this case was entirely justified (they saw an anomaly and they put a stop to it). VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is XSS HUNTER IS NOW OPEN SOURCE XSS Hunter is Now Open Source – Here’s How to Set It Up! Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these
types of issues.
A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes “I TOO LIKE TO LIVE DANGEROUSLY”, ACCIDENTALLY FINDING RCE “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies May 16, 2018. Reading time ~4 minutes
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
TAG ARCHIVE
An archive of posts sorted by tag. 30C3 1; 30C3 writeup 1; 400 points 1; CTF writeup 1; CVE 1; CVE-2018-11101 1; Cryptorbit 1; Cryptorbit decryptor 1; Cryptorbit hack 1; Cryptorbit leak 1; Cryptorbit source code 1; GlobIterator 1; HTML injection 1; PHPpwning 1; RCE 1; Sharif 2013 1; Sharif ctf 1; Sharif web 200 1; Signal 1; SplFileObject 1; URLhrequest hacking 1; WP-DB-Backup 1; WP-DB-Backup DATAURIZATION OF URLS FOR A MORE EFFECTIVE PHISHING Dataurization of URLs for A More Effective Phishing Campaign. Phishing with data: URIs is not a new idea. The concept is relatively simple, taking advantage of many user’s inexperience with how data: URIs function in order to trick them into entering credentials into a
phishing page.
SEARCH - THE HACKER BLOG A Hacker's Blog of Unintended Use and Insomnia. Finds a post by title, tag, category, date and url. VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
BREACHING A CA
Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter. This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, we’ve shown that data entered into one part of a website, such as the account information panel, can lead to XSS THE INTERNATIONAL INCIDENT The International Incident – Gaining Control of a .int Domain Name With DNS Trickery. The .int or international TLD is perhaps one of the most exclusive extensions available on the Internet. The number of domains on the extension is so small it has it’s own Wikipedia page.. Introduced around 27 years ago its primary purpose has been for international treaty organizations. “I TOO LIKE TO LIVE DANGEROUSLY”, ACCIDENTALLY FINDING RCE “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies May 16, 2018. Reading time ~4 minutes
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
THE HACKER BLOG
The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough HOW I GOT 5,000 GITHUB FOLLOWERS IN LESS THAN 24 HOURSSEE MORE ON
THEHACKERBLOG.COM
TARNISH - CHROME EXTENSION ANALYZER - THE HACKER BLOG The following HTML pages were found to have the web_accessible_resources directive set. This directive allows for the iframing of these pages in external web pages. If any of these pages contain sensitive application UI, the UI could potentially be redressed to perform a clickjacking attack.Note that these results must be validated and are context specific. HACKING XAMPP WEB SERVERS VIA LOCAL FILE INCLUSION (LFI Hacking XAMPP Web Servers Via Local File Inclusion (LFI) So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.. Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and
working!
DIRTY BROWSER ENUMERATION TRICKS Dirty Browser Enumeration Tricks – Using chrome:// and about: to Detect Firefox & Addons. After playing around with some of the cool Firefox Easter eggs I had an interesting thought about the internal chrome:// resources in the Firefox web browser.. In a previous post I found that I could access local Firefox resources such as style-sheets, images, and other local content in any public web page. EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!) Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is
THE .IO ERROR
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected) **Note:** This post is going to be a bit different from the previous Chrome extension vulnerability writeups.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
ANTI-BOT BLOCK
To prove you're not a bot, click on the randomized buttons in order.
1. 2 3 4 3 4
TAG ARCHIVE
An archive of posts sorted by tag. 30C3 1; 30C3 writeup 1; 400 points 1; CTF writeup 1; CVE 1; CVE-2018-11101 1; Cryptorbit 1; Cryptorbit decryptor 1; Cryptorbit hack 1; Cryptorbit leak 1; Cryptorbit source code 1; GlobIterator 1; HTML injection 1; PHPpwning 1; RCE 1; Sharif 2013 1; Sharif ctf 1; Sharif web 200 1; Signal 1; SplFileObject 1; URLhrequest hacking 1; WP-DB-Backup 1; WP-DB-Backup DATAURIZATION OF URLS FOR A MORE EFFECTIVE PHISHING Dataurization of URLs for A More Effective Phishing Campaign. Phishing with data: URIs is not a new idea. The concept is relatively simple, taking advantage of many user’s inexperience with how data: URIs function in order to trick them into entering credentials into a
phishing page.
SEARCH - THE HACKER BLOG A Hacker's Blog of Unintended Use and Insomnia. Finds a post by title, tag, category, date and url. VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME The vd.isVideoLinkAlreadyAdded is a simple check to see if the URL has already been recorded in the vd.tabsData.videoLinks array. The second check is that the videoLink.size is larger than 1024.Recall that this value is taken from the retrieved Content-Length header. In order to pass this check we create a basic Python Tornado server and create a wildcard route and return a large enough XSS HUNTER - THE HACKER BLOG XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS) Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999.
CHROME GALVANIZER
-- Please select a policy type to add --Block access to URL(s) for a set of extensions. Allow access to URL(s) for a set of extensions. Select a policy type to add from the menu above to begin. This is a preview of your generated Chrome policy. No policy rules defined yet, add some rules to get A MORE UNIVERSAL ROUTER PAYLOAD A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware February 20, 2014. Reading time ~6 minutes
BREACHING A CA
Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter. This is a continuation of a series of blog posts which will cover blind cross-site scripting (XSS) and its impact on the internal systems which suffer from it. Previously, we’ve shown that data entered into one part of a website, such as the account information panel, can lead to XSS THE INTERNATIONAL INCIDENT The International Incident – Gaining Control of a .int Domain Name With DNS Trickery. The .int or international TLD is perhaps one of the most exclusive extensions available on the Internet. The number of domains on the extension is so small it has it’s own Wikipedia page.. Introduced around 27 years ago its primary purpose has been for international treaty organizations. “I TOO LIKE TO LIVE DANGEROUSLY”, ACCIDENTALLY FINDING RCE “I too like to live dangerously”, Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies May 16, 2018. Reading time ~4 minutes
Menu
*
HOME
*
TARNISH
*
XSS HUNTER
*
JUDASDNS
*
FLASHHTTPREQUEST
*
__
* The Hacker Blog
*
FLASHHTTPREQUEST
*
JUDASDNS
*
XSS HUNTER
*
TARNISH
*
HOME
*
__
THE HACKER BLOG
February 22, 2019 Matthew Bryant (mandatory) __ Reading time ~12 minutes VIDEO DOWNLOADER AND VIDEO DOWNLOADER PLUS CHROME EXTENSION HIJACK EXPLOIT - UXSS VIA CSP BYPASS (~15.5 MILLION AFFECTED) NOTE: This post is going to be a bit different from the previous Chrome extension vulnerability writeups. I’m going to actually walk through the code along with you to show you how tracing through an extension generally works. For this reason the whole thing is a bit
lengthy.
While scanning various Chrome extensions with tarnish I found the popular Chrome extensions Video Downloader for Chrome
version 5.0.0.12
(8.2 million users) and Video Downloader Plus (7.3 million users) suffers from a Cross-site Scripting (XSS) vulnerability in their browser action page. All that is required to exploit these extensions is for a victim to navigate to an attacker-controlled page. The cause of this vulnerability is due to the use of string concatenation to build HTML which is dynamically appended to the DOM via jQuery. An attacker can craft a specialized link which will cause arbitrary JavaScript execution in the context of the extension. Using this exploit, an attacker can abuse the following permissions which the extension has access to:
"permissions": ,
Using the above permissions an attacker is able to dump all browser cookies, intercept all browser requests and communicate as the authenticated user to all sites. It’s about as powerful of an extension as it gets.
THE VULNERABILITY
The core of this vulnerability is the following piece of code: vd.createDownloadSection = function(videoData) { return '
\ \ ' + videoData.fileName + '
\ Download - ' + Math.floor(videoData.size * 100 / 1024 / 1024) / 100 + ' MB\ \ ';
};
This is a fairly textbook example of code vulnerable to Cross-site Scripting (XSS). The extension pulls these video links from our attacker-controlled page, so exploiting it _should_ be straightforward. However, as is often the case with textbook examples, the real world situation is much more complicated. This post will walk through the speed bumps encountered along the way and demonstrate how they were bypassed. We’ll start with where our input is taken in, and follow it all the way to the final function.
THE PATH TO VICTORY
The extension makes use of a Content Script
to collect
possible video URLs from both page links (
tags), and videos (