.png)
Zero Identity Forums - General - Web Security - Remote Exploit
Are you bored? Check out the unaswered threads!
| #1 Remote Exploit on 01/01/1970 00:00 | |
|
Anyone know how to exploit http://howthemarketworks.com ?
Most of the stuff is transmitted with server-side PHP to client-side HTML output. I don't think there are any client-side exploits... |
|
|
Grindordie
 Administrator Software Engineer  ZI Guru Joined: 11/04/2007 Last Seen: 0000-00-00 Experience: 1207.57 Points: 1100 |
|
| #2 on 01/01/1970 00:00 | |
|
Even if a person did know how to exploit that site, they wouldn't publically state it and they would want another exploit in return - So, kind of exchanging 0days.
All the data you see is usually server side generated so unless you have access to the server side scripts the only way to find exploits is by trial-and-error. Client side exploits refer to JS injections, mostly these kind of exploits (XSS) are only available to the user who invoked them. |
|
| #3 on 01/01/1970 00:00 | |
|
Thanks, I guess. I'm pretty sure there are no XSS exploits. :(
|
|
|
3l_f3n1x
 Member V Fan  Professional Analyst Joined: 08/06/2008 Last Seen: 0000-00-00 Experience: 299.25 Points: 905 |
|
| #4 Yoda Fan on 01/01/1970 00:00 | |
|
Well, after 5 minutes I found one XSS exploit (So don't be that confident about that)... Maybe you didn't search enough... Read more about XSS... I think you're using the regular way, but that page is protected against it. I think if you try some of the challenges here you could eventually find the exploit I found there. Good luck. :)
PS: Don't ever ask again "Anyone know how to exploit -- page here --?". You have luck because Grind and I didn't react violently to your question. Also never say "I'm pretty sure there are no -- type of exploit -- exploits". Say you didn't find any -- type of exploit -- exploit. I hope you use this advice. "Beneath this mask there is more than flesh. Beneath this mask there is an idea, Mr. Creedy, and ideas are bulletproof." - V BTW: My username was elfenix |
|
| #5 on 01/01/1970 00:00 | |
|
Are you sure elf?
That site has thousands of users, and it's never been hacked before. |
|
|
3l_f3n1x
Member V Fan Professional Analyst Joined: 08/06/2008 Last Seen: 0000-00-00 Experience: 299.25 Points: 905 |
|
| #6 on 01/01/1970 00:00 | |
|
Well I found a XSS vulnerability... A little window saying "elfenix rules" pop up... So for me that's a XSS... Maybe somebody found the vulnerability and decided not to use it... Like me... I found the vulnerability, but I won't use it... I like to search vulnerabilities for fun, so I enjoyed those 5 minutes...
"Beneath this mask there is more than flesh. Beneath this mask there is an idea, Mr. Creedy, and ideas are bulletproof." - V BTW: My username was elfenix |
|
|
SaMTHG
 Member The Annihilator Starting Analyst Joined: 07/13/2008 Last Seen: 0000-00-00 Experience: 36.6 Points: 580 |
|
| #7 The Annihilator on 01/01/1970 00:00 | |
|
No XSS ay?
I beg to differ: [URL REMOVED BY GRIND - Please do not post URLs which could be harmful to the site without their consent] 3 minutes max. |
|
| #8 on 01/01/1970 00:00 | |
|
What I meant was a useful one...for example changing the money values or stock values.
|
|
|
3l_f3n1x
Member V Fan Professional Analyst Joined: 08/06/2008 Last Seen: 0000-00-00 Experience: 299.25 Points: 905 |
|
| #9 on 01/01/1970 00:00 | |
|
Some people say Non-Persistent XSS exploits are useless, because you need some Social Engineering to achieve your goal. Well I think that's not completely true. This is why I think that:
1. People are stupid. 2. Kevin Mitnick, for example, used a lot of Social Engineering to accomplish his goals. 3. When some "useless" XSS exploit is found in Google, they try to fix it immediately, because some cracker could use it to gain access to Gmail accounts and do other nasty things. 4. If Google worries about a Non-Persistent XSS exploit, I would worry too. 5. There are a lot pages dedicated to this type of exploit. (Like XXSed.com) 6. People usually underestimate the power of this exploit. Like Sun Tzu in the Art of War said: All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder, and crush him. I hope this change your mind about this type of exploit. "Beneath this mask there is more than flesh. Beneath this mask there is an idea, Mr. Creedy, and ideas are bulletproof." - V BTW: My username was elfenix |
|
| #10 on 01/01/1970 00:00 | |
|
Social Engineering is extremely hard on this website in particular. The only forms of communication are the forums and chat. If you post a suspicious link, any user can report you with one click. The forums are monitored & moderated very well. You must sign up for an account to use both...
If a user finds some sort of loss/change in stocks/money, he/she will undoubtedly track it back to the link. Which will then show that he/she has been hacked, and the admin will change the stocks/money back as well as remove the XSS. :( |
|
|
3l_f3n1x
Member V Fan Professional Analyst Joined: 08/06/2008 Last Seen: 0000-00-00 Experience: 299.25 Points: 905 |
|
| #11 on 01/01/1970 00:00 | |
|
I won't give you any ideas, but those aren't just the Social Engineering ways you can use... Just think... Or either stop trying to hack that community...
"Beneath this mask there is more than flesh. Beneath this mask there is an idea, Mr. Creedy, and ideas are bulletproof." - V BTW: My username was elfenix |
|
Who is watching forums
| Users viewing this page: | Guests (1) |
| Users viewing the forum: | 1 |