December 2009 Archives

Stopping the cleanfeed

|
If you, like me is concerned about the governments proposed cleanfeed, then TAKE ACTION.

Visit http://nocleanfeed.com

Vote in smh's poll
http://www.smh.com.au/polls/politics/form.html

Sign this petition
http://act.ly/1jk

Add Conroy to Santa's naughty list
http://www.thegiftofcensorship.com/

Write to a minister and get them to take action
http://www.crikey.com.au/2009/12/16/dont-waste-your-time-waste-theirs-a-guide-to-writing-to-ministers/

Sign this petition too;
http://www.getup.org.au/campaign/SaveTheNet/442

Participate in the online and offline blackout protest
http://www.internetblackout.com.au/

Add a twibbon to your twitter avatar
http://bit.ly/6u7Uxy

Chime in at BorB, get the attention of ACS
http://beastorbuddha.com/2009/12/15/internet-filtering-trial-and-report-flawed/

She might be with the ALP, but she is listening. Leave a comment on kate Lundy's blog;
http://www.katelundy.com.au/2009/12/21/further-thoughts-on-the-filter/

For further calls to action and news, stay tuned at http://www.somebodythinkofthechildren.com/

Check back here for some more tools and filter bypass tutorials in the new year

XSS defacement mirror

| | Comments (4)
Since xssed.org appears to be out of action there seems to be a need for an active xss defacement mirror. Some alternatives exist, such as the original XSS disclosure thread on sla.ckers.org or http://bugtraq.byethost22.com/. However these two sites don't offer the ease of use that xssed.org did with reporting xss.

If xssed.org cannot be brought back to life, this is what I would like to see in a defacement mirror:

  • Ability to submit post and cookie data or even tamper data xml
  • Automatic screen/browser-shot of the hole
  • Some level of community control to minimize the number of holes that needs to be moderated by admins
  • Automatic notification to the domain owner using postmaster, hostmaster, abuse, etc
  • Status indicator (validated, fixed, etc)
  • Automatic submission and validation by script src=http://xss-mirror/subandvalidate.js?username or similar technique
  • Published statistics; users, vulns, fixed, etc
I understand that there might be a business model involved here and things might not turn out quite like I had wished. Hopefully someone will take up the torch and either bring xssed back to life or start a new site to fill the gap left behind.
Westpac is so far the only bank I have tested which didn't filter their search field. Needless to say the smell of an xss casualty brings the zombies around..

westpac-xss-poc.png
The hole has been patched by westpac now. The url was:
http://search.westpac.com.au/search/search.cgi?collection=westpac&query=%3Cscript%3Ealert%28String.fromCharCode%2890,111,109,98,105,101,115,32,97,116,101,32,109,121,32,109,111,110,101,121,33%29%29%3C/script%3E&x=0&y=0

Graudit version 1.5 released

|
The latest version of graudit is out. Notable changes are;
        New features for server wide install
        Source distro file for package maintainers
        Signature bug fixes
        New php, python and perl signatures
        Deprecating the rough signature set
        Fixed graudit usage text
        Improved documentation
        Several color modes supported
You can obtain the latest version from the graudit download page.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.