Hello participants of Mailing List.
I want to draw your attention to the updates concerning my articles.
In February my article CSRF Attacks on Network Devices
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-February/008265.html)
was released in PenTest Extra 02/2012. I remind you, that in this article
I've told about different CSRF attacks on network devices, including attacks
on login forms described in my 2011's article (such attacks can be conducted
on login forms of web applications, including the control panels of network
devices). And in this article I've described this topic in details (with
examples of attacks on vulnerabilities in real network devices).
As I've mentioned in my announcement, I put pdf-file teaser of the magazine
with part of the article at my site (and full text was available in the
magazine). For those of you who are interesting in this subject, but haven't
read the article due to lack of possibility to read this issue of the
magazine, here is a good possibility to read it. At the beginning of this
month I've published full article "CSRF attacks on network devices" at my
site (http://websecurity.com.ua/articles/csrf_attacks_on_network_devices/).
Concerning my two 2011's articles "Bypassing of captchas and blocking at web
sites" and "Bypassing of blocking by IP at web sites", which I've briefly
translated to the list
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html).
And after the publication there were requests from readers of the list to
make full translation of them. So how I've already informed people, who made
the requests, I've translated them to English and combined them into one
article (with much more information), which I called "Advanced methods of
bypassing of blockings at web sites".
This article was published in April in the magazine Pentest Regular 04/2012
(http://pentestmag.com/pentest-regular-0412/). You can download a teaser of
this issue of the magazine with my article
(http://websecurity.com.ua/uploads/articles/PenTest_04_2012_Teasers.pdf).
There is a fragment of the article in it and you can read full version of
the article in the magazine. I hope it will be interesting for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Hello dear participants of the Web Security mailing list, [completely off
topic]
In other news, here is one of my recent articles:
http://www.exploit-db.com/wp-content/themes/exploit/docs/18669.pdf
To make this mail more interesting, the TDC Home Trio Box contains a
builtin backdoor, used for "Tech Support" purposes, which is essentially
just another user, that the actual user / customer, doesn't know about! The
customer may have a login of, let's say "iLike", and a password of:
"http://www.youtube.com/watch?v=ZZDWW9yHPq4&hd=1", which may seem hard to
bruteforce and even crack directly or indirectly.
But this hidden user, this is always the same.
User: tdchd
Pass: tdc
The only good thing, is that only the TDC Company knows about it, or well,
no.. The good thing is that this exact problem is localized to Denmark
only, but other similar problems, do exist in the real world. One of them,
is Scada (e.g., http://cirt.net/passwords?vendor=Siemens%20Corp ), and if
you're hacking by random, Shodan (http://www.shodanhq.com/browse/tag/scada)
is one of the places to go. Now the game suddenly became a lot more
dangerous (
http://www.infosecisland.com/blogview/19587-More-Exposure-to-SCADA-Devices-Through-Shodan.html
), when you combine the power of Shodan and CIRT, but this is just an
example.
So, weak passwords (and users), they're bad. In some devices you know they
exist (such as service or hidden menu's on printers:
http://youtu.be/1ZQ8R5y5VnQ ), and in others, you don't. There are secrets
everywhere to be revealed, including vulnerabilities that existed in e.g.,
Apple's products for years:
http://www.ibtimes.com/articles/327143/20120412/flashback-trojan-hack-malware-apple-mac-terminal.htm
All of this, in some sense, is what I call "real hacking". Some of it is
just news, or information, but I can relate to all of this information.
These (except the Scada stuff) are just some of the things I and probably
you have seen lately, and as previously mentioned, it all relates to
hacking. Using Shodan and Default Passwords is not high-tech hacking, doing
your own (real) research, which can include programming, DIY projects and
disassembly of programs, is all closer to the essence of hacking.
All of this MustLive, is the world I've been waiting for and hoping you
would enter one day. Because you have the potential, if you're willing to
move deeper into hacking.
Best regards,
MaXe
On Tue, 17 Apr 2012 23:50:05 +0300, "MustLive"
mustlive@websecurity.com.ua wrote:
Hello participants of Mailing List.
I want to draw your attention to the updates concerning my articles.
In February my article CSRF Attacks on Network Devices
was released in PenTest Extra 02/2012. I remind you, that in this
article
I've told about different CSRF attacks on network devices, including
attacks
on login forms described in my 2011's article (such attacks can be
conducted
on login forms of web applications, including the control panels of
network
devices). And in this article I've described this topic in details (with
examples of attacks on vulnerabilities in real network devices).
As I've mentioned in my announcement, I put pdf-file teaser of the
magazine
with part of the article at my site (and full text was available in the
magazine). For those of you who are interesting in this subject, but
haven't
read the article due to lack of possibility to read this issue of the
magazine, here is a good possibility to read it. At the beginning of
this
month I've published full article "CSRF attacks on network devices" at
my
site
Concerning my two 2011's articles "Bypassing of captchas and blocking at
web
sites" and "Bypassing of blocking by IP at web sites", which I've
briefly
translated to the list
And after the publication there were requests from readers of the list
to
make full translation of them. So how I've already informed people, who
made
the requests, I've translated them to English and combined them into one
article (with much more information), which I called "Advanced methods
of
bypassing of blockings at web sites".
This article was published in April in the magazine Pentest Regular
04/2012
(http://pentestmag.com/pentest-regular-0412/). You can download a teaser
of
this issue of the magazine with my article
There is a fragment of the article in it and you can read full version
of
the article in the magazine. I hope it will be interesting for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates