Injection Detection

February 26th, 2013

The drunken hacker asked me (wr3nch) if I could put a little something together for you all today.  To balance out his vision for a new internet, I’ve got something practical you can chew on.  Make sure to comment if you want more content like this, or TDH might not invite me back.

If you run a website, one of the things you have to be worried about is someone hacking it.  Even if you run some small blog with little value, you are a target.  Though you may not have reams of usernames and passwords to steal, the one thing you probably do have is visitors.  Your visitor’s computer is where all the desirable data is stored.  Things like their passwords, their credit cards, and other personal data.

So what usually ends up happening is that a bot/crawler/scanner comes by and exploits a vulnerability in a website.  It uses that vulnerability to inject code into the website that will redirect users to a malicious site, which in turn will try to exploit their browsers, Adobe Reader, Flash, Java, etc.

This can be done in many ways.  Maybe there is a XSS vulnerability in the comment form that allows the bot to inject HTML directly into the page.  Maybe the exploit allows the bot to upload PHP code that is then rendered to clients.  At the more sophisticated end, maybe the bot adds an Apache module that injects an iframe into every page after all your code has run (eset, unmaskparasites).

If your site gets hacked, your users suffer, and the reputation of your site takes a hit.  Obviously, we want to keep that from happening.  What I will describe is a way to reliably detect if your site contains an unauthorized redirect, iframe, or what have you.


It’s Time To Fix The Internet

February 15th, 2013

As a mechanism for bringing people free and open speech, the internet is broken. I’m probably not saying anything new to you, I’d hazard a guess and say we all know it’s broken and that it has been for some time now. The internet of today suffers from three major flaws, the first of which is authenticity. How can you be sure that the server you reached is the server that you requested? SSL? And how can you be sure that the people verifying the certificates are trustworthy? Second, the internet is very vulnerable to censorship, whether it’s through new legislation (SOPA/PIPA, etc.) or physical means (Syria/Arab Summer). How can we ensure that, when we need it the most, the internet is available uncensored? And finally, the internet is (still) lacking in basic security measures. Transfers are broadcast in clear text, and various government agencies are taking full advantage of that fact regardless of the civil liberties they violate.

So, yeah, there’re some things wrong with the internet. Now let’s talk about how to fix them.


Make Your Own Lock Picks

January 17th, 2013

In this article I’m going to show you how to make your own lock picks using a few simple tools and scrap metal that’s all around you. If you’re asking yourself why you’d need lock picks, the answer is: Because picking locks is a fun and valuable skill to have, depending on what kind of trouble your particular brand of deviance may get you into!

Acquiring Picks

Before we start picking any locks, we’ve got to get the right tools for the job. Picks come in a variety of shapes/sizes, and you can buy them from any number of sources (my favorite being Southord or Amazon), but it’s a lot more rewarding to pick a lock with tools you made yourself. Not only that, but making your own picks is much cheaper than buying, even if you have to pick up a few tools in the process (especially since you’re likely to break a pick or two in the process of learning to pick locks, and being able to replace the pick right away is nice). So, with those things in mind, let’s talk about what it takes to make lock picks.


Of Windshield Wipers And Mailing Lists – Aligning Expectations

January 2nd, 2013

I tend to draw a lot of parallels between things in the world and software development. Building houses is a good one, so is herding cats (if you’ve worked with some of the people I have, you understand). I’ve recently come across a new one, and I implore you: Please don’t write code like General Motors builds cars.

No Comments

Social Engineering for the Antisocial

December 20th, 2012

Ahh, social engineering. It’s something I’ve heard/read a lot about throughout the years, but I never really thought to take it to the next step and give it a shot (it’s got social in it after all, a word that pains us nerds). That all changed a few months ago, when on a whim I decided to start messing with people’s heads. Er, sorry, start trying to social engineer people. Why? Because I suck at human interactions, and I wanted a way to cheat. And learning how to do it well has some pretty cool benefits. So let’s talk about it.


« Older Posts