CSRF-ing Blogger Classic

In Blogger Classic, admin users who originally created a blog can be removed by other admin users. This behavior allows for a complete and non-reversible hijack of a Blogger Classic blog through CSRF/XSRF/session riding/one-click attacks.

The process is a two shots attacks, meaning that the victim admin user needs to click on two different links while being authenticated. Due to the nature of blogging, in which admins go through the comments posted by visitors, this attack is very feasible. [...]

more | comments | comments rss | posted by

Massive Enumeration Toolset

Massive Enumeration Toolset (MET) is a collection of Python scripts designed to perform various passive information gathering attacks which can be useful when evaluating the security of public computer networks.

MET is constantly changing. There is a high chance that the latest version is not working in some situations. The problem is due to the fact that MSN, Google and other search engine vendors change the format of their results pages every so often. [...]

more | comments | comments rss | posted by