121600+ entries in 0.072s
mircea_popescu: asciilifeform slavegirl
tasted, says my sperm count's fine (and delicious). so NYAH!
a111: Logged on 2016-08-01 20:03 phf: mircea_popescu: a lot of xss detection "solutions" rely on grepping for known bad input, like "script" or whatever. and
there are ways
to sidestep
that, like '<scr' + 'ipt>' or a='ipt>';'<scr'+a. in
this case whoever is fucking with detection by using
this
truly wtf feature i've never heard of, <meta charset="a">b</meta>
that apparently parses b according
to charset a rules
mircea_popescu: hey, i was looking for a pretext
to get a
test, so bbs.
mircea_popescu: this is EXACTLY how it goes, and perhaps why
there has not yet existed such a
thing as a fully implemented specification or a fully specified implementation in empire lands.
mircea_popescu: imo a fabulous
textbook example of how
the imperial vulnerability cycle goes. 1. make a bad spec, a la SMGL ; 2. implement some portions of it only, because
http://btcbase.org/log/2018-01-25#1776189 ; 3. discover
the bad spec is vulnerable, issue "best practices" for people
to "santize". obviously
this will not be made by 1 if 2 wasn't, so... 4) implement slightly more of
the spec,
throw security in disarray.
☝︎ mircea_popescu: (because
they didn't parse svg
tags prior, not because "it doesn't work", he could have made it
to work with plain script, so it's a separate issue, but quite germane)
mircea_popescu: there's a pile of browser captures linked in
there yest.
mircea_popescu: note
the epic lulz of how
the "vulnerability" doesn't even work until you gert
to ff version 30.
mircea_popescu: asciilifeform half of one, yes. needs
the pingback
to be full.
mircea_popescu: this
triad : links, pingbacks, selection reference make up a whole NEW hypertext. just as far from
the old as
that was from
text.
mircea_popescu: i honestly believe it's as big as
the concept of link.
mircea_popescu: without
the ability
to link INSIDE my output $value would decrease sensibly. not a little. a lot.
mircea_popescu: but
the "you enabled js, you're dead" position is untenable -- i use js for
the selection
thing. and i fucking need it
mircea_popescu: if i'm responsible for
the above why am i not responsible for sending emmylark nude on a harley
to luser's house
to
tear out intel ME out of his chip ?
mircea_popescu: well which
the fuck is it, and don't
tell me "why mp! perl=bash=php=crap", it's not
the point.
a111: Logged on 2018-01-16 17:08 mircea_popescu: (also, let it be pointed out for
the benefit of
the future noob :
the use of xargs with shit from curl is dancing with
the wolves. finest way
to lose a box.)
mircea_popescu: obviously quoted link's right ; other
than
the attacks croming from nsa ("enemy" aka idiot with vested interest in idiocy),
they ALL come from leaky abstractions. both points above qualify.
mircea_popescu: asciilifeform
there's
two fundamental items i can readily identify, maybe more. 1. i actually did plop an echo $_GET in
there. is
this just bad coding ? is it a legitimate assumption ? 2. he has a point, as long as it's on
trilema.com, a script has powers OUTSIDE of its implicit scope, "steal cookies" whatever. is
this ~actually~ bad systems design ?
a111: Logged on 2015-08-13 19:00 phf: mats: well, i actually meant
the opposite. classes of attacks can be eliminated by not using c. i
think
that majority of
the attacks come from leaky abstractions.
there's no <string> in c, but
there's a null
terminated memory region.
there's no <sql> in perl, but
there's a character array with sql
text in it. one of
the solutions is
to plug abstraction holes on a level of
the language, in such a way
that you can't not use improved abstractions
mircea_popescu: in fairness, kid's got me meditating about
the nature of
things ever since last night. see,
the
trouble is : in his syustem, he has actually found a vulnerability, as a factual matter. in my system
this is entirely meaningless. why
the difference ?
☟︎ trinque appreciates
the deedbot fuzzing. pretty damned sure all my inputs are quoted
though.
lobbes: Most of
the 'dynamic' bits of
the www are php+sqlite3. lobbesbot is limnoria (fork of supybot, a common python bot api), also atop sqlite3
a111: Logged on 2018-01-26 07:09 douchebag: Are
there any sites any of you guys would like me
to check out? I'm a bit bored right now and I am always up for a challenge :-)
lobbes:
http://btcbase.org/log/2018-01-26#1776736 << you really should do
the homework
trinque pointed you
to, but if you are done with
that and bored again, plox
to look at logs.minigame.bz, lobbesblog.com and lobbesbot? I'm a meganoob so you may find something. I've no shame, so disclose whatever you can find here. I'll
toss a handful of satoshis your way if you do (and a wot rating)
☝︎ a111: Logged on 2016-05-01 14:53 mircea_popescu: asciilifeform> mod6:
the baked-in presumption of webtardism is almost insulting << it is insulting, not
to us
though.
think about it :
the crab has pincers because in its environment
THAT WORKS ; and so does "GET /blog/blog-config.php~".
a111: Logged on 2018-01-26 08:59 douchebag: Well, since RSS is in XML format I was
testing a popular vulnerability
that occurs in XML parsers which uses external entities, allowing an attacker
to exfiltrate data
mircea_popescu: but i
thought
they already had a perfect medium of exchange called
the unified standard dosidoe!
mircea_popescu: i rated you, so now
the bot will allow you
to voice yourself. say /query deedbot and
then !!up ; it will give you a
thing
to decrypt, give
the result back
to it as !!v <string>
emmylark: Wait are you serious? I did
that for you sir.
emmylark: I'm
talking
to you
through
the Freenode server in my IRC client. It made me register a name and email.
mircea_popescu: say /msg nickserv register your_password your_email_address ; use a good password and an email you actually can read,
they'll send you a verification
thing.
this way someone else can't steal your name.
deedbot: Provide a paste URL
to
the ascii-armored GPG public key or
the full 40 character key fingerprint without spaces or dashes.
mircea_popescu: emmylark it's very nice
to get
to choose ; i choose
to keep
the second for my private collection of smutty selfies.
emmylark: How did I do sir? Was it acceptable? I sent a second one just in case
the first wasnt enough. I
thought it might be nice
to get
to choose
mircea_popescu: tell me... how does it feel...
to be all nude... like a hm... like a rolling stone.
mircea_popescu: emmylark so write 4b57ff75 on your
tits ; and get your slit in
the shot as well.
douchebag: It's
the simple
things like
that which can do
that most damage
douchebag: I could grab
the AWS Instances API keys lol
douchebag: IF I were able
to find a bot
that essentially returned
the content of
that URL and it was hosted on Amazon AWS
douchebag: Well, since RSS is in XML format I was
testing a popular vulnerability
that occurs in XML parsers which uses external entities, allowing an attacker
to exfiltrate data
☟︎ douchebag: What are
the commands
that have
that sort of functionality?
douchebag: If it's returning page responses in any way, it could be used
to access internal network addresses
douchebag: That actually can hold quite
the potential of a vulnerability
douchebag: mircea_popescu: So
the bots in
this channel for instance
the one
that will add your GPG key from a url you provide
douchebag: I wonder if any of
the logs will pop an alert
mircea_popescu: but
this browsershots set is a comedy goldmine! apparently a good
third of
the failful firefox browsers ALSO are getting an "uptades" blabla popup
douchebag: Don't feel bad, XSS is one of
the most common vulnerabilities
that exists on
the majority of websites
douchebag: It might be, I'm not sure at
the moment if
this was added with mp-wp or if it was uploaded
to
trilema.com's webhost a later date
douchebag: You'll see arbitrary html was added
to
the page
mircea_popescu: odd, neither archive bot not
this
testbox firefox i have do it.
douchebag: So
there is never a session stored on
the site?
douchebag: XSS can be used
to steal cookies of logged in users which can
then be used
to jack
their session.
douchebag: I was able
to execute arbitrary Javascript on your site
douchebag: Is it alright if I link you
to a PoC of
the vulnerability?
douchebag: How would you like me
to disclose
this?