Operation n

I made some vital changes to the website last week. I quite liked the cool ajax search engine. However, michaeldaw has grown so quickly that I found that my initial look and feel had become completely obsolete. It has become increasingly difficult to navigate. I have now completely changed the site. I feel the new changes are not only cool but it makes the website much easier to navigate and read.

As always feedback welcome.

When looking for a web application testing vendor, it is critical that one key area of focus should be load balancing checks.

Why is this so vital?
I have seen pairs of load balanced web servers running the same application on completely different web server types. I have also seen load balanced web servers running the same web server type, but configured differently. For obvious reasons, if this is not detected early on in the testing process, critical vulnerabilities could be missed.

Why the load balance rant? Zeus has just launched a virtual load balancer. It has apparently passed Vmware’s “tringent Virtual Appliance Certification program”. Oh, okay then.

I smell trouble.

2 months ago, both pdp any myself released a vulnerability “Cross Context Scripting in Sage”. This issue was resolved in Sage release 1.3.7 (see: http://mozdev.org/bugs/show_bug.cgi?id=15101). I found a new vulnerability which affects the latest version, Sage 1.3.8. In addition to the XSS vulnerability, it should be noted (as in the previous vulnerability) that this issue occurs within the Local Browser Context.

Background:
A number of popular online RSS readers allow images to be embedded within Feeds. It has been known for some time now, that the amount of people subscribed to your feed can be determined by using the image src functionality. This is interesting from an anonymity point of view. I was curious to know just how well these applications would prevent and/or restrict the “img onload” features.

Ironically, Sage seems to handle this quite well. It removes any “onload” attribute within an IMG element. Sage also completely removes offending JavaScript code. However, it fails to remove the script tags when inserted within the IMG element. In addition to this, it will actually end the IMG element for us. For example:

<img src=”http://michaeldaw.org/images/jss.jpg” <script>alert(’blah’);</script> ></img>
becomes:
<img src=”http://michaeldaw.org/images/jss.jpg” > <script>alert(’blah’);</script> </img>
Notice the trailing > is removed and added before our JavaScript code.

A proof of concept feed can be found here.
This feed will open “/etc/passwd” for Linux users and “…./etc/hosts” for MS Windows users. Please note I have not tested the Windows feed.

Noticeable changes:
- Popular Links feature added to blog-menu
- Search facility moved to the header and now actually works.

I have tested these features on Firefox 1.5, IE7 and Opera. Please let me know if you run into any bugs.

Introduction:
This project is based around host detection via JavaScript port scanning. A screenshot of the project can be seen below.

ChangeLogs
v1.0b:
+ jssWebImage Scanner
v1.0c:
+ Did some housekeeping on comments etc.
+ Added michaeldaw.org stylesheet to jss.html
+ Added result function to optimize code.
+ Added rand() into jssWebPing for IDS evasion.
+ Added port and timeout functionality
+ Added form validation
+ Added protocol function for future playing.
+ Did some more work on jssWebScript. It has
turned out to be more difficult then originally
thought. I can get it working with a single host
but not multiple. Haven’t tested it extensively.
+ Added jssController function for future plans.

Download available here.