Latest News

ifixit.com Stored XSS Vulnerability


Well, it has been a long time, since i haven't posted any thing, i was a bit busy with my university exams, However, finally i managed to get some time to write something, Today i am sharing some of the vulnerabilites i found inside a popular website named "ifixit".

I found two XSS one was a Stored XSS and a second one was a Self XSS, However the Self-XSS could have been easily exploited by Clickjacking techniques as the page did not contain X-Frame options, Therefore the Self-XSS was also considered.
I have created a short POC of the Stored Cross Site Scripting vulnerability (XSS), I hope you enjoy it:

iFixit Stored Cross Site Scritping [Video POC]:

iFixit Self-XSS POC


For the above vulnerabilities, i was listed inside ifixit.com's responsible disclosure page:


Along with it, they also sent me two T-Shirts, some stickers and a 54 bit driver toolkit:

Stats And The "Don't track ..." Option, Used With Multiple Browsers And Shared Computers

The controversial nature of Stats and the "Don't track ..." option, which requires a third party cookie to enable the option to work, continues.

Even with all possible cookie filter properly set, and a consistent cookie clearing policy established, some blog owners persist in reporting that there are problems with Stats inconsistently observing the setting to not track their pageviews.

Not all blog owners realise that the Stats "Don't track ..." cookie is unique to each different browser - except when cookies are shared between computers.

Some browsers use cookies which are maintained as part of the personal profile, on the local computer - and some people may have cookies which are shared between multiple computers.
  • Computers which are shared by multiple people may have multiple sets of cookies.
  • Computers which are part of a local network may have a single set of cookies, per person, shared across multiple computers.
  • Some blog owners may use multiple Blogger accounts.
Each of these possibilities will create differing cases where the Stats "Don't track ..." cookie, like other cookies, may or may not be present when a given person is surfing to the blog in question - and which will cause Blogger to count (or to not count) pageviews from the browser being used.

Some computers are owned by, and used by, multiple people. The operating system will encourage each different person to maintain her / his own settings and styles, and to identify herself / himself when starting the computer. The settings and styles are maintained in a personal profile - and most browsers maintain the cookies as part of the personal profile. If two people, who share a computer, also share a blog, each person will have to select "Don't track ..." consistently - or face having inconsistent counting of pageviews, when reading the blog.

Some local networks, where various computers are shared and used locally, may use profiles which are maintained in common between the various computers. Changes to the profile (including cookies), made on one computer, may transfer to other computers. Clearing or setting cookies on one computer may affect presence of the same cookies, on another computer - and may again cause inconsistent counting of pageviews, against blogs involved.

Some blog owners may use multiple Blogger accounts. Similar to the issue of blogs shared by different people / used on shared computers, blogs read on computers used by people with multiple Blogger accounts will have the "Don't track ..." cookie present, irregularly. This, too, will cause inconsistent counting of pageviews.

Finally, as noted, clearing of cookies will affect presence of the "Don't track ..." cookie - and will cause unexpected counting of pageviews. This inconsistency will be more common with computers shared by multiple owners, and with computers shared across a local network.

Many blog owners use only one browser, and one computer - and own and use their own computer, exclusively. Any blog owner, noting inconsistent effectiveness of the "Don't track ..." option, however, may do well to at least consider the above issues, occasionally.

>> Top

Adding The Domain Ownership Verification "CNAME", For A Non Root Virtual Host

Now that the new required custom domain publishing ownership verification feature has been out for several months, we are seeing it used in domains with multiple virtual hosts.

A few blog owners are even publishing their blogs to non root virtual hosts - and here we are seeing a new reason for a persistent Error 12 / 32, which just can't be solved.
I have followed all of the instructions, and I am still seeing Error 12. Help!

The "Advanced settings" Error 12 instructions - now provided on screen instead of requiring the blog owner to open an external "Settings instructions" document - require careful examination.

We have to look very closely at this variation on the publishing instructions, when publishing to a non root virtual host.
Advanced settings

http://www.blog.mydomain.com

We have not been able to verify your authority to this domain. Error 12.
On your domain registrar's website, locate your Domain Name System (DNS) settings and enter the following CNAMEs:

  Name, Label, or Host field    Destination, Target, or Points To field

  www                           ghs.google.com

  xxxxxxxxxxxx               gv-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.domainverify.googlehosted.com.

See our detailed instructions on providing CNAMEs for various registrars or see the full settings instructions for more details.
Taking these instructions at face value, and adding a "CNAME" record of relative Name value "xxxxxxxxxxxx" to verify the publishing address of "www", the blog owner is going to continue to see an "Error 12" or "Error 32" for a long time.

We have to look, very carefully, at the "Advanced settings" publishing address - in this case
www.blog.mydomain.com
In the registrar's Zone Editor (aka "Domain Manager" wizard), we see the Name value entered as an address relative to the domain root.
  • With "www" entered for the Name, this provides a published address of "www.mydomain.com".
  • With "www.blog" entered, this provides a published address of "www.blog.mydomain.com".

The Name value, for both "CNAME"s, as specified in the "Advanced settings" instructions, is relative to the domain root.
  • A Name of "www", to provide a published address of "www.blog.mydomain.com", should be entered as "www.blog" in the Zone Editor.
  • Similarly, a Name of "xxxxxxxxxxxx", to provide a published address of "www.blog.mydomain.com", should be entered as "xxxxxxxxxxxx.blog" in the Zone Editor.

Entering the domain ownership verification "CNAME" relative to the published URL allows non root virtual hosts to be used, in the domain, without chance of conflict.
  • To publish to "blog.mydomain.com", we add a domain ownership verification "CNAME" of "xxxxxxxxxxxx.mydomain.com" (with the proper value of "xxxxxxxxxxxx").
  • To publish to "www.mydomain.com", we add a domain ownership verification "CNAME" of "xxxxxxxxxxxx.mydomain.com" (with the proper value of "xxxxxxxxxxxx").
  • To publish to "www.blog.mydomain.com", we add a domain ownership verification "CNAME" of "xxxxxxxxxxxx.blog.mydomain.com" (with the proper value of "xxxxxxxxxxxx").
We simply have to read the "Advanced settings" instructions, and enter the Name values in the Zone Editor, considering the context of the instructions.

>> Top

Would Be Blog Owners Report Inability To Create A Blog

We are currently seeing frustration, in Blogger Help Forum: Something Is Broken, about new blog creation.

Would be new blog owners have various concerns
I can't create a blog - the "Create" button is grey (inoperative)!
or
It keeps saying
Verifying availability
when I enter a blog name!!
or even
It said
This blog address is available.
until I hit "Create blog!" - then it changed to
Sorry, this blog address is not available.

Each of these problem reports - and others - may come from people who don't read the instructions, for using the wizard. Alternately, some folks may be complaining about yet one more case of over done layered security.

The most obvious problems, in the blog creation process, come from people who don't understand how to use the "Create a blog" wizard.

Not every would be blog owner understands that 3 things must be done, to make the "Create blog!" button operative - and all 4 must be done, before the blog is actually created.
  1. Enter a Title for the blog.
  2. Enter an acceptable and available Name for the blog.
  3. Select a Template for the blog.
  4. Hit "Create blog!", with "This blog address is available." displayed.

When you choose a Name (aka "address" or "URL"), enter your choice properly.
  • Only enter the "xxxxxxx" part of "xxxxxxx.blogspot.com".
  • Only use lower case alphabetic characters ("a" - "z"), numeric characters ("0" - "9"), and dashes ("-").
  • Do not use a trailing dash (You cannot publish "xxxxxxx- . blogspot . com").

Besides the syntax issues when entering a blog name (URL), there is the unfortunate issue of competition in the creation process. Blog owners who are anxiously creating a new blog, based upon a current event - maybe a popular movie star, or an important political campaign - will be dismayed to see
Sorry, this blog address is not available.

If you are competing in real time, with other would be blog owners, for the name of your choice - and you take too long between Steps #1 - #3, and Step #4 - you may still see
Sorry, this blog address is not available.

Many people want to setup a blog, based on that blog name. Some may see the bad news, repeatedly, leading to one frequently seen complaint.
All the good addresses are taken!
And sometimes, to a more imaginative suggestion.
How do I get Blogger to re issue me the dormant address?
The latter question is one of futility.

Finally, the anxious blog owner may see
Checking address availability
for some time - possibly forever - if an overly ambitious cookie / script filter, or an intrusive security add-on is installed in the browser. In this case, the magical advice to
Clear cache and cookies!
or
Try a different browser!!
will be effective - though absent any attempt to diagnose the problem, one may not ever know what actual underlying problem may have caused the plaintive cry
I can't create my blog!

Remove The "Next Blog" Link From The Navbar

Ever since Blogger added the "Next Blog" link to the Blogger Navbar, blog owner and readers alike have periodically asked one question, in Blogger Help Forum: How Do I?.
How do I remove the "Next Blog" link, from the Navbar?
The "Next Blog" link, long ago added to generate random traffic for new blogs, is occasionally perceived as leading unwary readers to blogs where they should not wish to go. Some "adults" of various intention have asked this question, quite seriously, in fear of their blogs being inadvertently linked to blogs with unsavoury content.

The navbar coded as it is, there is no known ability to customise it, and to remove specific elements such as the "Next Blog" link. Generally, we simply advise people, when they have the need, to remove the Navbar.
Use the Layout wizard, Edit the "Navbar" gadget, and select "Off".

That noted, it is possible to remove the "Next Blog" link (and all buttons and links to its left), with a bit of CSS - for blogs with the owner able and comfortable with using the Template Designer. For a simple way to remove the "Next Blog" link, use the "Add CSS" menu option in the Template Designer, and add one snippet of code.
#navbar-iframe {
margin-left:-510px;
}

When you do this, you will lose 5 other buttons and links.
  • The dashboard icon.
  • The Blog Search window.
  • The "G+ Share" icon.
  • The share count display.
  • The multi-function share / "Report Abuse" menu.
So hackers / spammers will appreciate the last menu being unavailable, on their blogs.

You may see this tweak demonstrated, in my New Template Laboratory. It's an ugly solution - but for blog owners who truly don't want their blogs linking to "Next Blog", it may be useful.

>> Top

Blog Readers Report Comments, Supposedly Published Using A Mobile Computer, Appear To Disappear

Recently, we've been seeing a few problem reports in Blogger Help Forum: Something Is Broken, mentioning problems publishing comments on Blogger blogs, when using mobile computers.
My readers tell me that they can't comment on my blog, using an iPad. Comments disappear, when they try to publish them.
As with a previously explored problem with comments on a non mobile computer, this problem may involve unfamiliarity with the publishing sequence.

The dialogue involved in publishing a comment, when using a desktop computer with a full size display and a non mobile Blogger template, is not simple. Depending upon the various commenting options selected by the owner, the publishing sequence may be even more complex. Blog owners may need to consider the additional details involved in comment publishing, when using a mobile computer.

Using Blogger on a mobile computer involves various compromises - and the comment publishing process on a mobile computer even more compromises.
  • The small display size, on a mobile computer, makes finding the various controls involved a challenge. Both the small size of everything involved, and the necessity of repeatedly scrolling around the screen, looking for the controls used in comment publishing, is frustrating.
  • The "mobile template" is an attempt to make up for the small display size. The mobile template puts the various controls on a series of displays, with various buttons and links used to move from display to display.

People unaccustomed to the sequence of steps involved in the comment publishing process may not see all of the controls required, when using a mobile computer. Neither the wide non mobile template, nor the deep mobile template, displays the comment publishing sequence easily. People who are not very experienced with the comment publishing process, in general, might become confused with the displays.

As an example, let's look at the basic comment entry dialogue. So simple - when you are used to it, and can see all of the components.
  • On a desktop / full function display, you'll see an entry box, and a "Publish" button beneath the box. You use the keyboard and / or mouse to enter text into the box, then click on the "Publish" button.
  • When the required display space is larger than the physical screen space, you'll have a horizontal and / or vertical scroll bar, indicating that scrolling is required, to locate other display content. You'll use the mouse to manipulate the scroll bars, and make other portions of the display visible.
  • A mobile display will have an entry box, and an on screen keyboard. The onscreen keyboard will occupy a fixed amount of display space, with the entry box occupying the available remainder.
  • The mobile display won't have scroll bars - if other portions of the display are not immediately visible, you'll use your finger to scroll around the screen. If you are not familiar with screen layout, you'll have to scroll around, aimlessly.
  • The "Publish" button will be somewhere near the entry box - but depending upon screen size and orientation, may not be immediately visible. You may have to scroll around the screen to find the "Publish" button.
  • People not used to using a mobile computer may be unable to find the "Publish" button. Finding other display content that may appear to replace the "Publish" button, they may be confused when their comments are not published, and report that their comments disappeared.

Both the authentication sequence (when authentication is required), and the CAPTCHA entry sequence (when a CAPTCHA is involved), when involved in mobile computing commenting, will make the comment publishing process even more complicated. The authentication sequence may be more complex, if the browser in use has a problem with Blogger authentication - and "third party" cookies.

Since most blogs are designed primarily for non mobile computer use, commenting using mobile computers may not be obvious, for a while. Many readers may simply not publish comments, to the same activity level, when using their mobile computers.

>> Top

Some Blog Owners Reporting The Template Designer Changes Do Not Update On Their Blogs

For several weeks, we're been seeing various reports in Blogger Help Forum: Something Is Broken, mentioning problems with template updates, being made using the Template Designer wizard.

The reports are not so widespread to indicate a complete malfunction - but neither can we dismiss the problem, as being unique to one browser, one template type, or one particular update pattern.

It's likely that we are looking at a number of problems, aggregated and compounded, into one common symptom.
I cannot Save changes in Template Designer.
With a problem report like this, some examining of the details may be appropriate.

The Template Designer wizard, which is a component in the Blogger Dashboard, is a complex and sophisticated collection of menus and utilities, which runs on the blog owners computers.

Like most Blogger code, the Template Designer is subject to the effects of other programs, and various security settings - which may be installed or set on each individual computer, with or without the understanding of the blog owner and / or computer owner. In some cases, the blog owner and computer owner may be different people.

If you are seeing a problem with the Template Designer, when trying to update the layout on your blog, there are several tests which you can make, which may help to isolate the problem.
  • Try making the same updates, using another computer.
  • Try making the same updates, using another browser on your current computer.
  • Try setting up a new blog, with the same template, and make the same updates to the new blog.
If you're able to make one or more of the above alternate updates, that will help to eliminate some, or many, alternate suspects, as the cause of your problem. If other people are reporting this problem, their results from the above tests may or may not correspond with yours - because their base problem may differ from yours.

Right now, we're seeing seven different causes of these problems.
  1. Changes made by Blogger Engineering, to support new browser versions and browser updates, and to provide new template features.
  2. Changes inherent in new browser versions, made by the browser vendors.
  3. Third party browser add-ons, installed by the owners of the various computers.
  4. Security settings, inherent in new browser versions and third party add-ons.
  5. The cumulative effects of various template tweaks, both made using "Edit HTML" and the Template Designer itself.
  6. Unrealistic expectations of blog owners, about effects of Template Designer settings, against all templates provided by Blogger.
  7. Unrealistic expectations of blog owners, about effects of Template Designer settings, against templates not provided by Blogger.
Of these possible causes, only #1 (and possibly #2 and #6) are the sole responsibility of Blogger Engineering. The blog owners (and computer owners) must assume some partial responsibility for #2 - and sole responsibility for #3, #4, and #5. The blog owner, and the developer of any custom, third party template, must jointly assume responsibility for #7.

Recently, Blogger Support acknowledged the problem, in part.
Some users have reported that the Apply to Blog button in the Template Designer is non-functional for some Dynamic View templates.
We also have a Rollup Discussion, in Blogger Help Forum: Something Is Broken, where individual details are being provided by various blog owners.

Right now, we're starting to suspect that some "problems" are actually caused by the blog owners, who are simply not aware that not all changes made, using the Template Designer (or the Layout or Template "Edit HTML" wizards), are designed to update all templates used in viewing our blogs.

Hackers Get Your Team Ready - CTF 365



When it comes to infosec industry we all know that practice is the best way to learn how to defend and protect your system and more important how to find vulnerabilities and flaws within the systems you are after. This is a never ending training and the way you can do it most intensely and extensively is on CTF competitions. 

Today's CTF are becoming more and more complex and engaged. You can find from level based CTF's where you have to pass a level in order to get access to the next, up to more sophisticated systems that mimic different scenarios like internet bank phishing, to complex money laundering scenarios up to attack and defend games where each team get a server full of vulnerabilities or flaws and teams have to patch it while other members exploits the other teams servers.

Any good thing comes with bad things too. Beside their value as an alternative to infosec training labs, there are also some cons. CTFs are held yearly, spread it all over the world, held for short period of time, far from the real world internet (e.g. no DoS or DDoS attacks allowed). Most of them fall into oblivion, even though they are fun.

We at CTF365 decided to change CTF competitions for the better and we promise to blow your expectations. We'll simply build an internet within The Internet where everything will be possible. Well, almost everything. Routers, switches, networks, DoS or DDoS attacks, you name it.
CTF365 is World of Warcraft for Hackers except that instead of fighting in a fantasy world, with imaginary powers against imaginary characters, CTF365 will replicate the real world as much as possible, and you will have to fight with your own real tools... hacking tools. 

BackTrack, Metasploit, Nmap, BackBox Linux or whatever you choose to use as weapons. You will have your own Fortress (your own server) to defend, with your own network, routers, and switches. You will build your own team and we will provide you with RTTK – Red Team Tool Kit for team communication and many more features. There will be as few rules as possible trying to get to the perfect cyber wargame: No rules at all.

CTF365 will provide the infrastructure VPS included.

This is CTF365 team's goal. To create an internet within the real internet, a place where everybody can hack others machines while protect their own and become better and better in their day-to-day trainings.

CTF365 will test the teams for both defensive and offensive skills and its goal is to make players to become better at what they love to do most; offensive and/or defensive security. Having a place full of different kind of systems give players the opportunity to feel like in real life when you don't know what it'll be around the coroner.

As a system administrator you and your team can experiment new configurations without the fear that something wrong can happen or you can simply train your skills to protect your system. CTF365 is the ultimate testing field for servers administrators and pentesters.

Disable The Mobile Template, On Your Blog - As A Default View

Over a year ago, Blogger introduced a useful template option for our blogs - mobile templates.
Blogger mobile templates are mobile-optimized versions of our Template Designer templates. If you are using one of these templates, when you enable the mobile template option your blog will begin rendering using the mobile version of the same variant. Even if you are not using a Template Designer template, or using a heavily-customized version of one, you can still enable this feature to have your blog start rendering in a generic default mobile template that we have created.
The mobile templates let computers with lower display size / resolution - aka PDAs, mobile phones, and smart phones - display the content of our blogs, without the unnecessary overhead which may be a part of our normal blog formatting.

If you are viewing this post on your smart phone, it's likely that you are viewing it using a mobile template. As exciting as the mobile templates are, however, they will not replace the normal, full feature templates - on every blog, or on every mobile computer.

Not every blog owner, nor every visitor, wants to view any given blog using a mobile template. Some tablet computers have display units which rival normal desktop displays from a few years ago - and low feature, mobile templates are unnecessary. Fortunately, there are a number of options - for the blog owner, and for the blog visitor.

If you are a blog owner, you can disable the mobile template, as a default, for your blog. For those blog owners who have forgotten how they set the mobile template on their blog, you use the "Template - Choose mobile template" wizard, from the gear icon beneath Template - Mobile. Simply select "No. Show desktop template on mobile devices.", and Save - and that's it.

If your blog has a Classic Template, you can disable the default mobile template from your blog, with a little extra bit of effort.
  1. Start with the Template wizard, and select "Upgrade template".
  2. Once your blog has an upgraded template, you can use the "Choose mobile template" wizard, and select "No.".
  3. Go back to the Template wizard, and at the bottom find "Revert to classic templates".
  4. Selecting the latter link, your blog will be back to the previous, Classic template.
  5. But now, the default Mobile template will be disabled.

Upgrade your blog, to a Designer template.

Return your blog, to a Classic template.

Having set - or un set - the default mobile template for your blog, your visitors have the final say, how they want to view your blog. If you are the visitor, you can choose, with a little effort.

Any time you are viewing a Blogger blog, from any computer, you can select - or de select - the mobile template for the blog which you are viewing. Just use the appropriate mobile template URL suffix.You can view a blog using a mobile template on your desktop computer - or a blog using a full feature template on your mobile computer. It's now your choice.

This blog, viewed from this computer, using a Mobile template.
Unfortunately, it's your choice, when you use your mobile computer, only. You have only two choices, for your blog.
  • Don't enable the mobile template.
  • Enable the mobile template.


Each of your readers have to choose how to view your blog - if you choose to offer the mobile template.

>> Top

Visitor Logs Cause Undue Concern

We see periodic concern, expressed in Blogger Help Forum: Something Is Broken, over apparent visitor access to blog maintenance wizards, using the Quick Edit icons.
I found this entry, in my StatCounter log. How did this person get access to my blog?
http://www.blogger.com/post-edit.g?blogID=7834826019588534175&postID=890014875501476492&from=pencil
Was my blog hacked?


This may not be a justified reason to panic, however. One may first wish to check that Stats (or whatever visitor log is in use, in this case) is properly configured, to not track your own activity. The link that you see may reflect your activity.

Even if the visitor log entry in question does not appear to reflect your own activity - even when allowing for the vagaries of geo location, you may still do well to remain calm.

Thanks to the unpredictable nature of cache, some blog artifacts may be visible to people other than blog owners.

Cache in your browser, on your computer, or even on your network, may cause the Quick Edit icon - which provides you with access to the sensitive wizards, which control the content of your blog - to also be visible to the casual visitor to your blog. Any idly curious visitor may even click on such an icon, when visible.

However, visibility of the icon does not guarantee access to sensitive blog controls. Here's what I saw, when I clicked on the link above.

D'Ohh!!!

Maybe, you'd like to verify that your blog is safe?
  1. Extract the URL, from a Quick Edit pencil, or screwdriver / wrench, on your blog.
  2. Verify that the link works, by testing it in your browser. See that you can access the post editor or the wizard, for the pencil or screwdriver / wrench.
  3. Save the verified URL, somewhere safe.
  4. Clear cache, cookies, and sessions (yes, clear all 3!).
  5. Restart your browser, and do not login to Blogger.
  6. Load the saved URL.
  7. What do you see?

If the above suggestion isn't interesting, I'll let you try to attack my blog.

Similar to the problem with phantom visitors reading a private blog, or maybe seeing your email address where other people can see it, or even porn sites linking to your blog, this may not be an issue to concern you. Calm down, and get back to work.

Use Of Google+ For Networking, And Keeping Your Blogger Account And Blogs Safe

One constant activity in Blogger Help Forum: Something Is Broken involves blog owners whose blogs were deleted - either righteously or spuriously - as part of the ongoing battle against spam, in Blogger blogs. Generally, the problem comes directly from the blog content.

Sometimes, the problem is more subtle.
When I tried to login to Blogger, I got a screen that said my account needed to be verified, due to "unusual activity on my account". Having verified my account, I see that my blogs have been deleted.
This is part of one of the more intriguing episodes, in the never ending fight against hacking and spam, in Blogger.

Some Blogger blog owners participate in comment based discussions, and provide their email addresses there. Some state their email addresses openly, in the body of the comments, for the world to see when viewing the comments. Others post comments using their Blogger accounts, knowing that the blog owners can see their email address in the comment moderation / notification email messages - and can contact them using email.

Spammers use comment based networking, to their advantage. They subscribe to any comment thread, using the "Notify me" option - then wait while blog readers comment using their Blogger accounts. As the email comes in, from blog readers commenting, they scrape the email addresses from the email content. Since most people commenting either openly state their blog URLs in the comment bodies - or link to a list of their blogs - the spammer now has two essential ingredients, to be used for hacking someone's Blogger account, and gaining control of the blogs owned by the account.

Google now provides Google+, where we can network with a designated audience, and avoid spam in our email. Using Google+, our email addresses are not revealed, and spammers have less incentive to use Google+ for email address harvesting. This protects our Blogger accounts and blogs against hacking, and relieves us from email based spam.

For people who update their Blogger accounts to use Google+ based profiles, but continue to network using Blogger comments, Blogger now protects us by using anonymous email addresses in all comment generated email. This leaves people who continue to comment, using Blogger accounts with native Blogger profiles, vulnerable to ongoing email address harvesting, and account hacking.

Blogger account hacking, using email addresses harvested from Blogger blog comments, will typically involve brute force password guessing. Blogger, detecting brute force attempts against a vulnerable Blogger account, will lock the account and the blogs. Once we verify ownership of our Blogger account - and hopefully change the Blogger account password to something less vulnerable to guessing - the blogs owned by a possibly compromised account remain locked, until they can be examined for signs of tampering, by Google security / spam analysts.

We also must consider the possibility that not all brute force password guessing attacks are being detected by Google - and some Blogger accounts are being deviously, and temporarily, hijacked.

People who setup Blogger accounts based on bogus email addresses - or who have accounts based on old email addresses which they can't use - continue to present a challenge here. These people will never receive essential email advising them of a problem in either verifying their Blogger account - or their blogs. This will continue to make our initial spam lock advice relevant.
Can you login to Blogger? Do you have a dashboard link "Deleted blogs"? That's where you start.

You wait 24 to 48 hours after submitting a Restore request - then you post back here, and we take the next step.

>> Top

Route Redistribution Basics: Golden Rules about Route Redistribution

1. Routes can be redistributed from one routing protocol to another. This is the assumption which we are working. But this is not true, routes are not redistributed from one protocol to another. Routes are always taken from RIB not from a routing protocol.

2. The redistributing protocol knows which routes to take from the RIB based on the “known via” information present in "show ip route" details.

3. A route must be installed in the RIB for it to be redistributed in another protocol.

4. Routes redistributed from the routing table are not re-installed again into the RIB.

5. Only the attributes of a route present in the RIB can be used for filtering.

Redistribution Filters:-
1. Redistribution filters can control what information is injected into a routing protocol through redistribution.

2. Filters can also be used to stop routing loops(Read more about layer 3 routing loops) when mutual redistribution between two routing protocols is configured.

Redistribution Filter Tools:-
1. Match metric:- Filtering is possible between all protocols based on metric used.

2. Match Tag:- While mutual redistribution, TAGs can be assigned to routes to stop the routing loop too.

3. Match IP Address:- Matches the prefix, possibly the network mask, depending on the access list type used.

4. Match IP Next Hop Address:- Matches on the next hop listed in the routing table.

5. Match route-type

6. Match Interface

Submitting A Court Order To Google

Periodically, we have discussions in Blogger Help Forum: Something Is Broken, about issues, that absolutely cannot be resolved in a forum problem discussion.

These issues will vary, by relationship to a given blog, as well as by nature of the offense perceived.Some of these complaints may have been reported to Google, in an ongoing effort, for years.

We know that Google Legal has to take a conservative approach in evaluating the various complaints submitted to them.

Material to be removed is specified, using the Google Content Removal process. Every complaint may involve a third party, who has equal rights that must be considered.

In cases where Google Legal must deny action, and generally will not respond to a submitted Content Removal form, the person making a complaint is advised to use the courts to verify his identity and / or legal relationship with the blog in question.

Anybody who does not receive appropriate response from Google Legal may hire a lawyer, start a lawsuit, and get a court order issued by a judge. A properly issued court order can be then submitted to Google using the Google Help: Submit a Court Order to Google form.

The Story Behind, How The Data Was Stolen

No one likes to hear the bad news that their computer, email, or phone has been hacked and the data stored in it has been plundered by cyber criminals. And hearing this news during the end of the year with Christmas approaching can only be the Grinch’s cherry on top to a year of disastrous security failures. But the sad fact is many more people are being faced with this problem as Grinch-like hackers continue to steal data on an increasingly significant basis. We may think that we are safe from the problem but in reality we are right in the midst of it, with internet giants coming under the radar as well!

Armed with keyloggers, Trojans, backdoor exploit methods and whatnot; these Grinches are pulling for the grand finale as 2012 comes to a close. Of course, this means that the data Industry has been lacking some major incentives and preventive measures that allowed these criminals to slip in between the cracks and make off with our data. The data breach investigations report is a pictorial representation of the actual scenario; read it to figure out the happenings.


Source: MobiStealth.com

After Using "Buy a domain", Blog Owners Are Seeing "Server error" From Google Apps

Ever since Google ended its free Google Apps accounts, we've been seeing reports in Blogger Help Forum: Something Is Broken, about problems encountered when setting up a new Google Apps account, to administer a newly purchased custom domain.
Every time I try to login to Google Apps, using instructions in the email message, I get
Server Error: We could not process your request at this time, please try again later.

The limited function free Google Apps accounts, which can be only used for domain maintenance, do not work with the Google Apps account setup wizard, which is generally used after using "Buy a domain". When you see "Invalid request" or "Server error", you need to reset the password for the "bloggeradmin" account, for your domain.

Start by accessing the Google Apps administrative account reset wizard, for your domain. If you use GMail for your email, or other Google products, try to use a different browser for Google Apps. Alternately, use an "Incognito" window, in Chrome - or a "Private" window, in Firefox. Or, clear cache, cookies, and sessions - then restart the browser, when possible.

For this domain, "nitecruzr.net", I would access the account reset wizard as
http://google.com/a/cpanel/nitecruzr.net/ResetAdminPassword
or possibly
http://google.com/a/nitecruzr.net/ResetAdminPassword

You simply change "nitecruzr.net", to your domain URL, to reset the administrative password for your domain.
(Update 2013/11/03): This process should be slightly simplified, with Google Apps now using the new integrated Google login screen.
Having solved the CAPTCHA in the reset screen, Google will send a password reset email message, for the "bloggeradmin" account for your domain, to the email address used by your Blogger account. Once again, this is a bad time to be using Blogger anonymously.

Open your email, then open and execute the email message, to reset the bloggeradmin Google Apps account. Be sure to enter the complete Google Apps account name, in the Google account reset screen.

Once the password is reset, login to Google Apps. Then retrieve the login tokens, from the Google Apps desktop, to access eNom or GoDaddy.

>> Top

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug

                  
Recently, I wrote about the command execution vulnerability i found in Paypal for which they sent me an initial payment of 5000$, This story was featured in lots of popular technology blogs like Softpedia, ProPakistani, MyBloggertricks etc. Recently i received an email from Paypal, where they informed me that they have deposited the remaining bounty "4750$" to my business partners Paypal account.


I would also like to let you know that, still more than 20 bugs i sent are being validated by Paypal. 

Basics of Static Routing: Secret Facts about Static Routing

Static routing is one of the easiest way to define reachability among the different networks but is only helpful if you are in stub network (A network which is having a single exit point) or is usefully for small networks. Static routing can be defined with different types of exit interface. Below is the various types of defining static routing.

1.Static routes can have next hop address of an IP Address:-
ip route 10.2.2.0 255.255.255.0 10.1.2.1. Defining this type of route causes the RIB and CEF to recursively lookup the correct layer 2 header to rewrite onto the packet. As long as the next hop is reachable, the router assumes the destination through that next hop is reachable.

2.Static routes can have next hop address as point to point interface address:- ip route 10.2.2.0 255.255.255.0 serial0. The RIB and CEF point the route directly at the point-to-point interface. For each packet destined to 10.2.2.0/24, the layer 2 rewrite header is set up to reach the other end of the point-to-point link. As long as the interface is up, the router assumes the destination is reachable through that interface.

3.Static routes can have next hop address as broadcast interface:- ip route 10.2.2.0 255.255.255.0 fa0/0. If you point a static route to a broadcast interface, the route is inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. With this configuration, router assumes all the interfaces are directly connected and performs the ARP request for every destination. This configuration increases the IP Input and consumes lot of memory to store the arp entries. This configuration requires enabling proxy ARP on routers, if it is not enabled will lead to drop the packets.

For default routes with outgoing interface as broadcast interface could lead to 2 raise to power 32 entries in the ARP table.


ABOUT AUTHOR: Shivlu jain

System Engineer at Cisco Systems

Redirecting The Home Page, And Mobile Templates

Everything has its limits - even Blogger features. For a while, we've been seeing hints that mobile templates don't support a redirected Home page.
How do I disable the Blogger mobile redirect "/?m=1"?
Some blog owners would prefer their readers, using a mobile computer, see a redirected Home page, with a desktop template - instead of a mobile display with a dynamic Home page.

Apparently, the mobile redirect
/?m=1
overrides the Home page redirect
/
Actually, this makes sense. "/?m=1" (the redirected mobile template URL snippet) is not equal to "/" (the redirected Home page URL snippet).

For those blog owners who have forgotten how they set the mobile template on their blog, you need to remove the mobile template, using the "Template - Choose mobile template" wizard, from the gear icon beneath Template - Mobile. Simply select "No. Show desktop template on mobile devices.", and Save - and that's that.

Now, everybody - including your readers using mobile computers - will see the standard desktop template (with optional Home page redirect), when viewing your blog.

This probably won't remain a difficult choice, for all blog owners, for long. Newer mobile computers - PDAs, phones, tablets, and such - have rather sophisticated display units, which approach the clarity of normal high resolution devices previously seen on desktop / laptop computers, from just a few years ago. One's readers simply have to get used to a computer with a 6" to 12" touch screen, instead of one with a 12" to 16" no touch screen with keyboard.

>> Top

Mohammad Chose Blogging, I Choose Hacking

blog or hack
Well, this post is not an ordinary one that talks about "Making Six Figure Income Online" or making millions from blogging, it rather contains some interesting piece of advices for Novice Bloggers and also the Ninjas out there who are struggling hard to survive online. It all started, when Mohammad and I met back in 2009 in a Snooker Club. We both were interested in blogging and Internet Marketing, so we therefore had arranged a meeting in order to share our existing blogging strategies.
Read More about the whole story on Mybloggertricks "Mohammad Choose Blogger, I Choose Hacking".

Template Designer Upgrades Require Supporting Updates To The Individual Blog Templates

This week, we're seeing a small flood of problem reports in Blogger Help Forum: Something Is Broken about problems with the Template Designer.
Every time I change something, I have to refresh the page in order for it to show up. It won't "Save" when I try to save the layout changes. It just says "Saving..." at the top of the page and fades away, but doesn't actually save any changes.

Many problems involve changes made to the template, using the Designer, which aren't being saved - or are broken when saved. Most of the people reporting these problems have made changes to the template, previously - some are so experienced at making changes, they can't believe that their latest changes could ever have problems.

Interestingly, this history of changes is not a coincidence - and it's likely that some of the changes helps to cause these problems.

Take a look at the template code in your blog, some time. You'll notice a lot of code which doesn't look like CSS, HTML, or XML. Some of it is code which supports the various blog features that are adjusted or configured using the Template Designer.

Many template features involve two sets of code.
  1. The Template Designer wizard, part of the Blogger dashboard, is common code used by all blog owners.
  2. The blog template, post template, and / or widget template, is part of the individual blogs. Some template code does nothing but support the Template Designer - and let you configure your blog layout,
Every time Blogger Engineering adds or updates template features, they have to make changes to both sets of code.

Blogger Engineering does not edit each individual blog, after they upgrade the Template Designer. They make changes to the master template code - and their changes replicate into the individual blog templates. These changes replicate much more consistently, when the individual templates have not been changed.

The more custom a template is, with changes applied by the blog owner, or possibly in a third party template, the less likely it is to properly update, to support each succeeding Template Designer update.

Any time Blogger Engineering updates the Template Designer, to add a new feature, or maybe to support a new browser version, their updates may require changes which are not properly applied to all blogs - and the Template Designer stops working, in some blogs.

When the Template Designer stops working, the usual recommendation is to refresh the post or widget template - or maybe to upgrade the blog template - and things start rolling again. And the blog owner goes back to tweaking the template, until something breaks again.

>> Top

The Content Of Your Reading List Is Your Responsibility

Occasionally, we see an odd problem report about Reading List content, in Blogger Help Forum: Something Is Broken.
How did this blog get into my Reading List? I did not Follow this blog!

Most people will not, knowingly, Follow a spam blog. This is one reason why Following is so popular - each blog owner, and blog reader can easily bypass, and actively block - spam. Spammers have, however, found devious ways to convince people to Follow them.

Nobody will, intentionally, Follow a spam blog. If we unintentionally Follow a blog which is owned by somebody gullible to the spammers suggestions, it's not difficult to identify, and stop Following, any blogs owned by gullible people.

You can, using the right reporting procedure, identify the blogs which offend you. It's possible that Blogger / Google will, given the right complaints, remove such blogs.
  • Any action taken upon your report of problem blogs is subject to delay - and due process of law - before any results will be seen.
  • The content which offends you may not be provided in a Blogger blog. Google has no power over non Google hosted websites.
  • Any blogs removed as a result of your complaints will be replaced, in the spam blog cloud, which you are seeing, thanks to the blog which you are Following.

When you see content which offends you, in your Reading List, the proper resolution will be simple.
  • Find, and remove, the blogs which you are Following - and which provide the problem content presence in your Reading List.
  • Report the blogs which you are Following - not the blogs / websites which provide the unwanted content.
You may, at your discretion, add a third step.
  • Report the blogs or websites which provide the unwanted content.
But do the third step, as a third step - not as the only step. Report the problem blogs - as Step #2 - here, or in Blogger Help Forum: Something Is Broken. Be part of The Solution - not The Problem.

>> Top

Basics of EIGRP Routing Protocol: EIGRP Cheatsheet – Learn EIGRP in 15 min

Long time folks, was busy with a lot of projects. Hope coming year gets less busier and I get to get my hands more dirty on networks and network security. In the meantime, here is an EIGRP cheat sheet which I thought will be helpful to folks who just want a quick theory review of Cisco’s EIGRP. Though I wanted to cover a lot more in cheat sheet like EIGRP technologies, planning but it would have defeated the purpose of cheatsheet. Never mind, I am preparing a more comprehensive EIGRP guide which I might publish soon depending on the feedback received. In the meantime, You can find the cheatsheet at Slideshare and Scribd.


Source: PROHACK

author

About the author : Rishabh Dangwal

Rishabh Dangwal is a no-nonsense network geek who has got a thing for guitars, retro games and emulators. When he is not tinkering with devices and gadgets, he can be found reading novels by Fredrick Forsyth. Follow him on Twitter

Blogger Magic - Activating The Blog Feed

One of the neatest - and easiest - techniques, to make your blog available to a larger audience, uses a replica of the blog posts - the blog newsfeed.

Most blogs, when new, have the feed activated by default. Oddly enough, some blogs - even published publicly - do not publish a newsfeed.

Some blog owners, wondering why their blogs are not being indexed by the search engines, are perplexed.
Why isn't my blog publishing a feed?
If you want full visibility, activate the blog newsfeeds.

You activate the various newsfeeds, for the blog, from the dashboard Settings - Other - Site Feed wizard.

Routinely, you'll have one setting - "Allow Blog Feeds" - and this setting will affect all feed options equally. If you select "Custom", you can enable or disable any of the 3 feed options, separately.
  • Blog Posts Feed
  • Blog Comments Feed
  • Per-Post Comment Feeds

Each setting will have 3 possible selections - Full, Until Jump Break, Short, None.

(Note): If you enable a feed, it is available to anybody with a feed reader, either a feed reader that they personally use, or one built in to a blog. There is no option to limit feed access - feeds are available, equally, to all interested parties. This is why feeds are not published by limited access (private) blogs.

If you fear that unknown parties might steal content from your blog by using your feed, don't publish a Full feed, publish a Short feed. This will require anybody wishing to read a complete post to access your blog, rather than reading it in their newsreader.

In most cases, though, a "Full" setting, for all feeds, is best.

Redirecting Any URL In Your Blog, To Another URL

In late 2011, Blogger Engineering gave us a new Blogger feature - the ability to redirect any URL in a blog, to any other URL in the blog.

Like any feature, we found an immediate use for it - something much requested, for a good while. Other people have found more uses for the redirection feature - and still others have found confusion.

The syntax used in the redirection "From" and "To" values is not always obvious - and occasionally there is confusion about what can - and can't - be done with redirection.

This is the URL of this post.

http://blogging.nitecruzr.net/2012/12/redirecting-any-url-in-your-blog-to.html

Using the redirection feature, I can redirect another URL in this blog, to this post - or conversely, I can redirect the URL of this post to another URL, in this blog.

You can only redirect within the blog.

Both the "From" and "To" values in "Custom Redirects" accept any static blog URL, less the base URL of that blog. You cannot specify the base URL - so all redirections will be within the blog itself.

You can redirect the blog home page display, within the blog.

The initial use for the redirection feature (at least, for me) was to replace the Home page of the blog, with another page or post - possibly, this post.

From: /
To: /2012/12/redirecting-any-url-in-your-blog-to.html

I could change the Home page of this blog, to start all new readers on the Topics Index page.

From: /
To: /p/topics.html

You can redirect one specific post URL reference, within the blog.

If I was to change the Title of this post, when re published, the URL would not change. If I wanted to change the URL of this post, I could redirect the desired URL, to the actual URL.

From: /2012/12/redirecting-any-urls-in-your-blog.html
To: /2012/12/redirecting-any-url-in-your-blog-to.html

You can make a shorter URL, for easy access inside or outside the blog.

If I want to allow this post to be accessed from a shorter URL, I can do that. If you click on the shorter URL (below), you will note that you still see the longer URL in the browser address window!

From: /redirecting-any-url-in-your-blog-to.html
To: /2012/12/redirecting-any-url-in-your-blog-to.html

I recently created a shortcut to my Topics index, as "blogging.nitecruzr.net/topics".

From: /topics
To: /p/topics.html

And here is a demonstration of a custom redirect, to my magic post about custom redirects.

From: /SimpleURL
To: /2013/01/blogger-magic-redirecting-url-in-your.html

Pick any two URLs, in the same blog.

To get the "From" and "To" values for any redirection, I simply take any two URLs in the same blog. Choose any two examples - one for "From", the other for "To".

  • The Home page: http://blogging.nitecruzr.net/
  • A post: http://blogging.nitecruzr.net/2012/12/redirecting-any-url-in-your-blog-to.html
  • A static page: http://blogging.nitecruzr.net/p/topics.html
  • A label search: http://blogging.nitecruzr.net/search/label/Redirecting
  • A shortcut URL: http://blogging.nitecruzr.net/topics

And drop the base URL: http://blogging.nitecruzr.net

Giving:

  • The Home page: /
  • A post: /2012/12/redirecting-any-url-in-your-blog-to.html
  • A static page: /p/topics.html
  • A label search: /search/label/Redirecting
  • A shortcut URL: /topics

Having developed the proper "From" and "To" values, adding a "Custom Redirects" entry is simple enough.

Make a cleaner "menu bar" display, if you redirect the home page.

Having setup a useful complement of Pages, and redirected the Home page, you may wish to remove the "Home" page tab. Just edit the Pages gadget, using the dashboard Layout wizard, or the on blog quick edit icon - not the dashboard Pages wizard - and de select the "Home" page.

A simple example, showing the result, may be seen in my demonstration blog, Home Page Redirected To Label Search.

From: /
To: /search/label/Home%20Page

There are some subtle limitations.

Note that a label search displays a fixed number of 20 posts, regardless of the "Show at most" / "Number of posts on main page" setting. If this is a problem for your blog, you can explicitly set maximum label search size, using the "max-results" modifier in the "To" value.

You may also wish to remove the "Showing posts with label ..." notice, if you like a cleaner display. In my demonstration blog (mentioned above), I did not do this - to make my examples more obvious.

The possibilities here are endless. Just use common sense - and again, note the limits on redirection.

Click here, for instructions. Note again, that the actual address, displayed in the browser address window, will not change. Note again: by design, you cannot specify the base URL - so all redirecting will be within the blog itself

Other than the latter limitations, though, this is a pretty powerful feature - when you understand the design.

WOW! Paypal Sends Me 5000$ For A Command Execution Vulnerability


Update: 5000$ was the initial payment, Paypal payed another 5000$ which makes the total bug bounty of 10,000$ for the command execution vulnerability - 

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug


Today when i logged into my Gmail account, I saw Paypal sent me 5000$  for my command execution bug i reported on one of it's subdomains, That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however Paypal took more than 2 months to sort it out.
I cannot write more about the vulnerability per the terms of the bug bounty program.
Along with the command execution vulnerability, i was paid 500$ for an XSS vulnerability that i found on Paypal main domain, further more i was also paid for an information disclosure. So in total they sent me an amount of 6000$.

More than 20 of my bugs are still being validated by paypal.




Last week, i was offered by Paypal for a job as a Senior Pentester A.K.A SecurityNinja. kindly look at the screen shot below:

Cracking Cpanel Passwords [Tutorial 2]


One of our guest authors already wrote a post on "Cracking Cpanel passwords", however that method worked for some sites and did not work on others, However, recently avinash mailed me a guest post, which contained two working methods that can be used to crack a Cpanel passwords, I have tested both methods myself and they are working. However, for this method to work, The website on which your shell is uploaded should be already vulnerable to Symlink Bypass (Server Bypass).


Method 1 [Cracking CPanel Passwords]

Requirements:

1.
PHP Backdoor (Shell) installed on a server.
2. Required Files

First create two folder's, Im creating abc & xyz Now i will upload the files to do symlink and do the symlink, Next give 0755 permission to jaguar.pl and run it and put etc/passwd in it, After this will get all the config's now you are done with symlinking the server

 Now go the second folder we created and upload B_F.php and place tour symlink folder link in that And then click on start And you have you cpanels's.

ScreenShots For Furthur Explanations






Method 2 [Cracking CPanel Passwords]

Requirements:
1. Shell On The Server
2. Cpanel.py
3. Python already installed on your server.


We have to run the script from command prompt, So therefore we need to create a directory with any name let's say "a" in this case.

How to run the script?

Open command prompt and navigate to the directory where you have placed the script.

Then type cracker.py ww.site.com/abc (this will be our symlinked folder link) c:\a ( this is where it will be saved and then press enter. It will start it's work.

Next It will give you a passwords copy them all and upload a cpanel bruter and paste all the passwords in pass area, For user's go to shell and give command

ls /var/mail

And you will get all usernames paste it in user's area, And click on start.

ScreenShots For Furthur Explanations






About the Author:
Avinash is a security researcher and a blogger. He runs a blog http://www.hackerzadda.com/, where he writes about hacking.

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code