Recently I have mostly been "behind". I've caught up a little on what I wanted to do though over the past couple of days, so I won't feel too bad.
made a new release of the chronicle blog compiler, after recieving more great feedback from MJ Ray.
un-stalled the Planet Debian.
updated the weblogs hosted by Debian Administration, after help and suggestions from Daniel Kahn Gillmor.
stripped, cleaned, and tested a new steam engine. Nearly dying in the process.
discovered a beautiful XSS attack against a popular social networking site, then exploited that en masse to collect hundreds of username/password pairs - all because the site admins said "Prove it" when I reported the hole. Decisions decisions .. what to do with the list...
released a couple of woefully late DSAs.
started learning British Sign Language.
Anyway I've been bad and not writing much recently on the Debian Administration site, partly because I'm just sick of the trolling comments that have been building up, and partly due to general lack of time. I know I should ignore them, and I guess by mentioning them here I've kinda already lost, but I find it hard to care when random folk are being snipy.
Still I've remembed that some people are just great to hear from. I know if I see mail from XX they will offer an incisive, valid, criticism or a fully tested and working patch. Sometimes both at the same time.
In conclusion I need my pending holiday in the worst way; and I must find time to write another letter...
ObQuote: Dungeons & Dragons
Tags: chronicle, debian-administration, done, steam, xss
27 November 2008 21:50
I've had a lot of fun over the past few years detecting and fixing
XSS attacks - a few months ago compromising several thousand user-accounts belonging to a particular niche social networking site and then more recently experimenting with XSS issues upon a popular software developer's advocate blog.
One thing I've been wondering about recently is meta-XSS attacks.
Consider the LKML (linux kernel mailing list). This list receives lots of long patches, submitted by email, which are copied verbatum to various sites. For example if I mailed an interesting patch to LKML chances are it would get posted to:
(Obviously the challenge here is to make a patch sufficiently interesting that it received more than usual coverage.)
Do each of those sites HTML-encode patches? In general they do, certainly the ones I looked at had code like this:
But I'm certain that not all sites do so. I'm also pretty sure there are interesting avenues to explore here, and the general idea of indirectly attacking a specific target is ripe for exploration.
Anyway I'm probably not the person to go playing in the field these days; I don't have the time. But it is certainly interesting to think about.
ObFilm: Dirty Harry
Tags: random, security, xss