The 10.000 Sites JS Malware Source Code Leaked

This will be an old news if you are following Ronald’s blog but nevertheless I’ve decided to make it public here as well, because the only way you can fight these menace is by sharing and dissecting. The malware is heavily obfuscated but not as much as it can get. In fact, just by glancing through the code you can see the key points of the execution process.

Don’t get too excited about this source as it is useless. In fact there is nothing interesting about it. [...]

more | comments | comments rss | posted by

XSS Attacks Book Preview

If you haven’t heard from RSnake‘s or JG‘s blogs yet, the long awaited XSS Attacks book will be out very soon and here I have the chance to present you with the way the cover will look like in addition to the TOC and a sample chapter. I hope that you find it useful. We’ve put a lot of effort into making this book possible. It is a quite good technical read so give it a try.

I would like to thank for the opportunity that has been given to me. [...]

more | comments | comments rss | posted by

Persistent CSRF and The Hotlink Hell

When we talk about CSRF we often assume that there is one kind only. After all, what else is in there when CSRF is all about making GET or POST requests on behalf of the victim? The victim needs to visit a page which launches the CSRF exploit. If the victim happens to have an established session with the exploited application, the attacker can perform the desired action like resetting the login credentials, for example. [...]

more | comments | comments rss | posted by

JavaScript Remoting Dangers

I’d like to thank pdp for giving me the opportunity to write a blog post. I’d like to use this post to discuss the various methods JavaScript can use to make HTTP requests. Each method has its own pros and cons that lend themselves to be used in different situations. We will ignore using JavaScript coupled with extra technologies such as Java applets or Flash and focus entirely on native JavaScript objects (or objects provided through ActiveX) and the DOM environment. [...]

more | comments | comments rss | posted by


WormX is a collection of various notorious web worms mostly written on the top of popular client-side technologies and propagating primarily on social networking web sites.

For those of you who do not know what ajax worms are, here is a bit of Internet history:

If you want to submit a worm, we are going to need the following information:

Worm name – It must be enclosed inside <h3>[atom name here]</h3> tags. [...]

more | comments | comments rss | posted by

Atom Database

The purpose of this project is to collect useful attack snippets (atoms) which can be employed when performing WEB Application Security testing. Atom submissions must follow certain format which is:

Atom name – It must be enclosed inside <h3>[atom name here]</h3> tags.
Atom description – It must start on a new paragraph.
Atom code – It must be enclosed inside <pre><code>[atom code here]</code></pre> tags. [...]

more | comments | comments rss | posted by

CSRF-ing Blogger Classic

In Blogger Classic, admin users who originally created a blog can be removed by other admin users. This behavior allows for a complete and non-reversible hijack of a Blogger Classic blog through CSRF/XSRF/session riding/one-click attacks.

The process is a two shots attacks, meaning that the victim admin user needs to click on two different links while being authenticated. Due to the nature of blogging, in which admins go through the comments posted by visitors, this attack is very feasible. [...]

more | comments | comments rss | posted by

Automated XSS Detection

Automation – it is the power to change the boring repetitive task into something that is more fun. Automation is also what I seek when I do security research or penetration testing. If there is a security vulnerability; we write an exploit for it. If there is a known method of exposing thousands of machines to malicious attacks; we write a worm for it or at least a vulnerability assessment engine. [...]

more | comments | comments rss | posted by

JavaScript Authorization Forcer

This is an idea I am still developing. The malicious JavaScript presented here tries to guess URLs that contain credentials. It is sort of Basic Authentication/FTP Authentication bruteforcer.

The source code can be downloaded from here.

The POC works well in IE6, IE7, Firefox and Opera. I wasn’t able to suppress the Basic Authentication dialog when trying to create a real Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. [...]

more | comments | comments rss | posted by

JavaScript Visited Link Scanner

This is a technique which I learned from Jeremiah Grossman and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah.

The POC presented here is my improved version of the POC presented in BlackHat. I made it work in IE6, IE7, Firefox and Opera. My main challenge was IE6. IE6 is very nasty when dealing with dynamically generated style sheets. However, these can be easy solved by reusing the current style sheet. [...]

more | comments | comments rss | posted by