Archive for June, 2007

WordPress Vulnerability Scanner

June 10th, 2007 * Comments(6)

Just a quick note: A new version of my wp-scanner is available.

Check it out at BlogSecurity.

The command line version is no longer supported but is available here by request.

$ perl -x wp-scanner.pl http://testblog/wordpress/

WordPress Scanner starting: David Kierznowski (http://michaeldaw.org)

Using plugins dir: wp-content/plugins

[*] Initial WordPress Enumeration
[*] Finding WordPress Major Version
[*] Testing WordPress Template for XSS

WordPress Basic Results

        wp-commentsrss2.php =>  Version Leak: WordPress 2.1.3
        wp-links-opml.php =>    Version Leak: WordPress 2.1.3
        wp-major-ver => Version 2.1
        wp-rdf.php =>   Version Leak: WordPress 2.1.3
        wp-rss.php =>   Version Leak: WordPress 2.1.3
        wp-rss2.php =>  Version Leak: WordPress 2.1.3
        wp-server =>    Apache/1.3.34 (Unix) PHP/4.4.4 mod_ssl/2.8.25 OpenSSL/0.9.8a
        wp-style-dir => http://testblog/wordpress/wp-content/themes/time1-theme-10/style.css
        wp-title => Test Blog
        wp-version =>   WordPress 2.1.3
        x-Pingback =>   http://testblog/wordpress/xmlrpc.php

WordPress Plugins Found

        wp-plugins[0]    => Akismet

Ad-Jacking Affiliate Anchor Tags

June 02nd, 2007 * Comments(1)

This article is part of my concept Ad-Jacking: XSSing for Fun and Profit.

Attacks of the future may utilise Web 2.0 and XSS to propogate worms for profit. The most obvious way to do this is via Ad-Jacking, a term I coined for a category of attacks that utilise a combination of XSS, JSON services and click-fraud. As I mentioned before, Ad-Jacking is like click-fraud on steriods.

Today I will discuss a potential Ad-Jacking scenario as well as a proof of concept JavaScript payload.

You will see many affiliate systems using HTML anchor wrapped around an IMG. For example:

<a href="http://www.the-affiliate/?afl=97781">
<img src="http://www.the-affiliate/images/banner7.gif"
alt="" border="0"></a>

As part of our XSS SuperWorm, for our proof of concept the attacker has setup his/her own affiliate account and is given the affiliate number 12345. Our attackers CPA link would look like this:

http://www.the-affiliate/?afl=12345

Now for our little XSS JavaScript payload which will change the pages affiliate ID (’97781′) to the attackers (’12345′). This means, if the user visiting follows the link and purchases something, the attacker will receive the credit rather than the original site.

The code is simple, we grab every link from the DOM and parse it for our affiliate URL. Once we find it, we simply replace it with the attackers:

var x = document.getElementsByTagName('a');
for (i=0;i<x.length-1;i++) {
 if (x[i].href.match(/http://www.the-affiliate/?afl/)) {
   x[i].href = 'http://http://www.the-affiliate/?afl=12345/?aff=test';
  }
}

An attacker is most likely to Ad-Jack your exisiting Ad network. The reason behind this is that the webmaster has most likely already optimised the website to have the Ad display in the best possible place for increased sales; more importantly, the webmaster is less likely to get suspicious of the attack if an existing Ad network is Ad-Jacked.

XSS can be used for alot more then a simple alert box and should be treated with the fear it deserves.

MD Hacker Anthology Starts Today

June 01st, 2007 * Comments(0)

The June 2007 Hacker Anthology Competition kicks off today!

Submissions are now being accepted. Good luck.

« Previous Page

Recent