Results tagged “solution” from Just Another Hacker

Unless you're living under a rock, you should have heard of the Common Weakness Enumeration (CWE)/SANS top 25 list. The second annual list was released some time ago and is always worth a read. The guys over at the application security street fighter blog is honouring this years list with a run down of the vulnerabilities and applicable solutions. As usual it's a no nonsense approach to describing the problem and solutions without going too far in depth. I would recommend this blog to any developer, so go have a read...right now :) Number #1 is cross site scripting (XSS),

http://blogs.sans.org/appsecstreetfighter/

XSS in whois

|
Like many other text only protocols XSS is often overlooked in whois. The rational behind this is simple, browsers aren't meant to query whois information. I have suspected that it's been possible for some time, but it wasn't until I did a whois on a domain registered through privacy--protect.com that I saw it in the wild for the first time.

$ whois anireactor.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: ANIREACTOR.COM
   Registrar: HEBEI INTERNATIONAL TRADING ( SHANGHAI) CO., LTD
   Whois Server: whois.hebeidomains.com
   Referral URL: http://www.hebeidomains.com
   Name Server: NS1.ISAACHOST.COM
   Name Server: NS2.ISAACHOST.COM
   Status: clientTransferProhibited
   Updated Date: 09-jan-2010
   Creation Date: 09-jan-2010
   Expiration Date: 09-jan-2011

>>> Last update of whois database: Thu, 28 Jan 2010 05:59:01 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domainname: ANIREACTOR.COM

Registrant:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org

Administrative:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org

Technical:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org


Legal note:
PRIVACY--PROTECT.ORG is providing privacy protection services to
this domain name to protect the owner from spam and phishing attacks.
Privacy--Protect.org is not responsible for any of the activities
associated with this domain name. If you wish to report any abuse
concerning the usage of this domain name, you may do so at
http://privacy--protect.org/. We have a stringent abuse policy and
any complaint will be actioned within a short period of time.
<script>open('http://privacy--protect.org/');</script>

The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about
or related to a domain name registration record. We make this information
available "as is", and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress
or load this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail,
or by telephone.

The compilation, repackaging, dissemination or other use of this data is
expressly prohibited without prior written consent from us. The Registrar
of record is HebeiDomains.com. We reserve the right to modify these terms
at any time. By submitting this query, you agree to abide by these terms.


Request number 1 from 5 daily allowed from your IP address.
Email to trick bots (does not work)  ANIREACTOR.COM@hotmail.com



Notice the <script>open('http://privacy--protect.org/');</script> line? It causes a popup window to open if you query this through most web based whois clients.In all the previously posted material regarding XSS in whois there has been a call for the registrar to filter special characters in the registrant details. That is wrong! Whois is a text based protocol and in accordance with RFC 954 there is no need to filter input or encode output.The highlighted code in the example above is provided by the whois server itself, after the registrant details. Further more, the following is a valid whois query, but will lead to XSS in web based whois clients:


$ whois "<script>alert('xss');</script>.com"

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "<SCRIPT>ALERT('XSS');</SCRIPT>.COM".
>>> Last update of whois database: Sat, 30 Jan 2010 10:21:07 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and


Therefore, the only sane solution is to do the filtering on the web client side!
The reason behind the change is a simple one. They do not (currently) fudge NXDOMAIN records like openDNS do. This has a tendency to break RBL queries, openDNS "solves" this problem by making exceptions for known RBLs. As you can see from this OLD discussion on the openDNS forums this has been their policy for a long time.

The default RBL services used by the movable type spamlookup plugin are bsb.spamlookup.net and sc.surbl.org. I also use additional lookups like stopforumspam, spamhaus and others. As a result I was constantly experiencing false positives for comments and trackbacks. Changing to google solved all these problems. If you are using niche RBLs and openDNS I would recommend that you test these.

[OpenDNS]
$ host nopes.grrrr.bsb.spamlookup.net 208.67.222.222
nopes.grrrr.bsb.spamlookup.net	A	208.69.32.132
 !!! nopes.grrrr.bsb.spamlookup.net A record has zero ttl
$ host nopes.grrrr.bsb.empty.us 208.67.222.222 nopes.grrrr.bsb.empty.us A 208.69.32.132 !!! nopes.grrrr.bsb.empty.us A record has zero ttl
FAIL!

[Google]
$ host nopes.grrrr.bsb.spamlookup.net 8.8.8.8
nopes.grrrr.bsb.spamlookup.net does not exist at google-public-dns-a.google.com, try again
$ host nopes.grrrr.bsb.empty.us 8.8.8.8 nopes.grrrr.bsb.empty.us does not exist at google-public-dns-a.google.com, try again
WINNAR!

I have taken the liberty of reporting these two to openDNS as they are common for MT users, however there are several other RBLs that I use which aren't covered by openDNS. By changing to google public DNS I don't have to put up with false positives. It also saves me the hassle of having to verify and "fix" RBLs every time I make changes.

If you want to make the change you can find the details at: http://code.google.com/speed/public-dns/


I picked this one up via twitter. It informs me that I solved #14, not #08. Which I don't doubt it correct. I solved it at like 3am after having had a pretty full on day starting at 6am or so. Anyway, it's a great write up and contains much of the actual challenges as well as the attempted solutions.I made a local mirror at codegate2009.pdf. I still think my description of problem #08 (#14, whatever) is more in depth, but it was a pretty simple challenge.
As usual I'm a little behind on the blogging. The results from the first round of codegate are up, you can see them at http://hacking.beist.org/. On of the CLGT members posted a post event summary from his perspective at http://vnsecurity.net/Members/lamer/archive/2009/03/11/codegate2009/

I noticed that I got blog hits from people looking for clues or solutions through google et al. I didn't get a team and had several other commitments, so I thought I would post the only challenge I got around to solving...#8. Solution after the break.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.