Archive for May, 2007

XSS for Fun and Profit

May 29th, 2007 * Comments(10)

Ad-Jacking part 1


Ad-Jacking is a term I coined for this article to categorise covert Ad hacking schemes. Why Ad-Jacking, well because thats effectively what we are doing.

Understanding this paper requires us to have a little understanding around
what types of Ads make us money. So firstly let us go over the current Ad
system; the following table attempts to categorise them:

CPC cost-per-click Money per click
CPM cost-per-thousand Money per thousand impressions
CPA cost-per-action Money per action (i.e. a sale, survey etc)
Affiliates Affiliate programs Custom - can involve any of the above and more.

We really want to focus on CPC and CPM (sometimes affiliates). Why? because its guaranteed $$$ per hit, and the attacker can guarantee hits, atleast when using XSS, which part 2 of this article will discuss.

Now some of you may already know where I am going with this; for those of you who haven’t guessed, we will be discussing weaknesses in the current Ad schemes and how they can be exploited. The ideas discussed here are by know means new, but I haven’t seen any article on the Internet that really brings these weak points home.

The topics covered include but are not limited to:

  • Popups
  • Redirects
  • IFrames
  • Images
  • XSSing for Fun and Profit

popups

It makes sense that this paper should start with the most common and annoying
type of ad-jacking, popups! Why do hated webmasters do it? Now that we understand CPC and CPM the reason becomes obvious.

The proof of concept code below spawns a new window (popup) with dimensions we set. This is becoming more difficult to do as a number of web browsers support popup countermeasures, but this use to be the preferred method.

window.open('http://myadspaymentsite/url=sponsorlink&ref=12345',
'window name','attribute1,attribute2')

IFrames

An IFrame is basically a new web page that is loaded into a table in your current browser. This is really powerful for displaying content from other domains, unfortunately is can also be used nicely as an ad-jacking tool.

The following code will load up an invisible iframe to our sponsored page. The nice thing here
is that our evil attacker is now making money from your visit without the user knowing. Nice
for the user, but it completely defeats the point of having Ads.

<IFRAME NAME="iframe" SRC="http://myadspaymentsite/url=sponsorlink&ref=12345"
SCROLLING="AUTO" WIDTH="0px" HIEGHT="0px" FRAMEBORDER="0"
ALLOWTRANSPARENCY="yes">Your Browser Does not Support IFrames. Please
View the Site in a Different Browser to View this frame.
</IFRAME>

Redirects

We will cover this alot more when in part 2 of this article. With the possibilities of web 2.0 superworms there is alot of potential for badness here.

The following example simply redirects the user to an ad page upon rendering a page:

javascript:document.location = 'http://myadspaymentsite/url=sponsorlink&ref=12345';

Hidden Images

This has got to be one of the most effective methods mentioned thus far. Images allow cross-domain access, but they are also invisible in most cases by default; a web page is retrieved rather then an image, and therefore no result is ever displayed. This syntax is also dead simple:

<img src="http://myadspaymentsite/url=sponsorlink&ref=12345" alt="" />

XSS for Fun and Profit

I’ll see how this paper gets on, and decide weather to releasing part 2 of XSSing for Fun and Profit, which actually involves XSS :)

Summary

This paper looked at ways to embed malicious code into pages to trick and scam Ad applications. You can be sure Google and many others know all about these scams (atleast we hope they do) and most likely have fully-feeatured analytics to detect anomalies; however, I am curious just how effective they are at detecting this when we use the two R’s, RANDOM and REALISTIC.

It is also because of these weaknesses that CPC and CPM type Ads will be replaced in the future, Google and many others are moving more towards CPA as sales and surveys are more difficult to scam.

Web Backdoors Getting Better

May 27th, 2007 * Comments(0)

pentestmonkey sent me a link to his latest projects, “php-reverse-shell” and “perl-reverse-shell”. He has some great ideas here and I will definately be taking a look at these projects, and hope to add them to the Web Backdoor Compilation in an upcoming release.

There is still alot of work that needs to be done in this area, especially with regards to a standard feature set. I definately think we are moving in the right direction.

Nice work pentestmonkey.

June 2007 Hacker Anthology Competition

May 26th, 2007 * Comments(0)

$450 in prizes

Competition Summary

Title: June 2007 Hacker Anthology Competition
Opens: 1 June 2007
Closing date: 1 September 2007
Results: 10 September 2007
Judges: DK, JJ and x1 TBC
Overview: Anything goes, so long as it is well written, includes Michael Daw and of course HACKING! The story does not have to be technical in nature but well conceived.
Questions: Any queries can be submitted via our Contact form.

Prizes

The winner of the competition will receive a first prize of $300.
Three runner up contributers will each receive a $50 prize.

The Rules

  • No entry form is needed. Entry is on-line only.
  • The Prize is open to writers of any nationality, but the content must be written in English.
  • There is no restriction on theme or style, except that it must contain a hacking element centered around hacker icon Michael Daw. The character and storyline have no limitations other than the fact that he works as an IT Security Analyst.
  • Stories should be 500-1000 words. Any entries significantly longer than this will be disqualified.
  • Stories must be available for the Michael Daw publications and other works and, therefore, must not have been published previously.
  • michaeldaw.org and its owner(s) have exclusive rights and copyright to all work submitted. This means you give michaeldaw.org and its owner(s) full copyright over the content you submit; allowing us to modify, edit, alter or use for commercial purposes as we see fit.
  • Notification of receipt of entry will be by email.
  • The judges’ verdict is final.
  • No correspondence will be entered into once work has been submitted.
  • Stories cannot be altered or changed after they have been entered.
  • There is no limit to how many writing entries a user submits; however, a charge of $15 is required for every additional entry.

Entry Fees

The cost of entry is fixed in US Dollars ($). Any translation into your local currency will be done automatically by paypal according to the current exchange rate.

Payment is by paypal only. The link to make these payments can be found on our Donations page. Please use "June 07 Hacker Anthology" as the "Payment For" title.

Per Entry $10.00
Per Additional Entry $15.00

Submissions

All submissions must be a TXT, DOC or PDF file format. All others file types will be rejected.

Submissions can be emailed to:
submission@michaeldaw.org
Please note all submissions not received by the closing date will not be considered as part of the competition.

Penalties

Breaking of the rules mentioned above, titled “Rules” or any other reason we deem fair, will be immediately dis-qualified and no refund(s) will be given.

Competition Exceptions

michaeldaw.org and its owner(s) reserve the right to cancel this competition with no charge to themselves at any time in the event that less than 35 stories are submitted. In the event that this occurs, the contributer will receive a full refund.

BlogSecurity.net gets Launched

May 22nd, 2007 * Comments(1)

After recognising the need, and taking hints from KaiTou’s sarcasm :), I am happy to announce the launch of http://blogsecurity.net.


BlogSecurity is a site dedicated to providing useful and critical security information for the blog community. We understand that it is difficult to keep track of the latest security vulnerabilties and version updates, and we believe you shouldn’t have to. BlogSecurity aims to provide you with up to date security information for your blog, allowing you to focus on the important stuff, your content.

I am really excited about the blogsecurity project, and really feel there is a real need for educating bloggers around security related issues. Please support the project by adding it to your feed today. Also, I am looking for contributers, so if your interested please contact me.

FYI, contributers who want to help with the project (we are currently looking for 2-3 people) will be given a topic to write about for an upcoming month. Random articles can also be submitted with notice. Thanks in advance.

WordPress Adsense Deluxe Vulnerability

May 20th, 2007 * Comments(23)

David Kierznowski of Operation n has discovered some serious flaws in the WordPress Adsense Deluxe plugin as part of the WordPress Angel Project. The vulnerability(s) affect all versions.


This vulnerability reminds me of the the old Hacker movies, where a worm is released that steals random pennys from unsuspecting victims. This vulnerability is the closest I have seen to this scenario.

The vendor has been notified, and more information regarding the vulnerability will be released after 30 days or until such a time as the author feels that WordPress users have had a chance to upgrade.

Unfortunately, the developer has not gotten back to me, and as many blogs use this plugin as a source of income, I have gone ahead and made the necessary changes myself as a temporary solution. Please note this is an unofficial release. Hopefully the vendor will verify the changes and make an official release shortly.

As with any plugin, please make sure you have made a backup before downloading and installing this.

Download adsense-deluxe.zip.

The vendor was notified: 18/05/07
Response received: None as yet
Fix received: Temporary fix released as part of the WordPress Angel Project.

References:

Next Page »

Recent