[Owasp-delhi] XSS in IRCTC.
Puneet Mehta
puneet.mehta at owasp.org
Thu Nov 27 11:04:45 EST 2008
I am sure, they have people hired to ensure security of thier critical
application. The question is are these so called security
professionals competent to perform the job that they are hired for...???? Or
is it a quarterly automated pen test performed last time that apparently
missed to catch the jewel crown "XSS"..:-)
On Thu, Nov 27, 2008 at 9:13 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
> If you think they would understand XSS, go ahead and report this issue. And
> if you think otherwise, even the confirmation won't be of any use :-)
>
> Be generic, call it a bug and report the issue without being worried about
> software bug or XSS. If they offer some remuneration then no harm in going
> ahead to confirm this one or may be finding more juicy stuff. I would
> prefer
> to confirm vulnerabilities for our clients or some software products rather
> offering free consulting services to irresponsible companies those deploy
> insecure software and make their customers suffer...If you find any
> vulnerability on the wild, no doubt report it in ethical way! But no reason
> to spend time over it, where you don't have any personal or professional
> interest!
>
>
> -----Original Message-----
> From: owasp-delhi-bounces at lists.owasp.org
> [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Karthik
> Muthukrishnan
> Sent: Tuesday, November 25, 2008 11:07 AM
> To: Plash Chowdhary
> Cc: owasp-delhi at lists.owasp.org
> Subject: Re: [Owasp-delhi] XSS in IRCTC.
>
> Thanks for pointing out Plash.
>
> It *seems* to be an exploitation. I didnt have enough time to analyze it,
> so I was hoping that someone from owasp delhi would confirm whether it is
> an exploitation or not. "Print this page" link didnt work - it just showed
> an alert box. I would prefer to be reasonably sure that it is not a
> programming issue.
>
> What do other guys in the mailing list say? Report it right away or confirm
> the issue and report it?
>
>
>
>
> Plash
> Chowdhary/DEL/TCS
> To
> 11/25/2008 05:20 Karthik Muthukrishnan
> AM <karthik.muthukrishnan at tcs.com>
> cc
> owasp-delhi at lists.owasp.org,
> owasp-delhi-bounces at lists.owasp.org
> Subject
> Re: [Owasp-delhi] XSS in IRCTC.
> (Document link: Karthik
> Muthukrishnan)
>
>
>
>
>
>
>
>
>
>
>
> Karthik are you going for full disclosure here without including cert
> India... its a govt site dude ; )
>
> Regards,
> Plash Chowdhary
> Security Consultant,
> Global Consulting Practice - IRM
> Tata Consultancy Services
> Ph:- +91-120-4398828
> Buzz:- 4120286
> Mailto: plash.chowdhary at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty. IT Services
> Business Solutions
> Outsourcing
> ____________________________________________
>
>
> Karthik Muthukrishnan
> <karthik.muthukrishnan at tcs.com>
> Sent by: owasp-delhi-bounces at lists.owasp.org
> To
> owasp-delhi at li
> 11/23/2008 11:36 PM sts.owasp.org
> cc
>
> Subject
> [Owasp-delhi]
> XSS in IRCTC.
>
>
>
>
>
>
>
>
>
>
>
>
>
> IRCTC seems to have been exploited by an XSS vuln. After booking the
> ticket, when you click on the print this page link, an alert ("hi")
> appears. This is the status today morning. I didnt hav etime to analyze as
> I had to rush to office. Will see if I can spend some time from office.
>
>
> "Pukhraj Singh"
> <pukhraj.singh at vikriya.c
> om>
> Sent by: To
> owasp-delhi-bounces at list "Tarun Dua" <tarundua at gmail.com>
> s.owasp.org cc
> owasp-delhi at lists.owasp.org
> Subject
> 11/22/2008 08:29 PM Re: [Owasp-delhi] NDTV.com
> classified by google search as a
> possible attack site serving
> malware
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Tarun,
>
> You are correct on that one; I missed mentioning that as the exploit seemed
> too trivial for my attention.
>
> When I went through the blog entry, my focus immediately jumped to the
> subsequent iframes which were being launched (the ones mentioned after the
> line: "launches several iframes that launch several other attacks. very
> nice. I'll let you pull down that code.") and the subsequent malware it was
> trying to load. I was really keen to pull them down and see if they got
> something juicy.
>
> Loosely speaking, a shotgun attack is not bound to a definition, unlike say
> buffer overflows, as you may better understand; it was just a term created
> by my team at Symantec to make the life and explanations easier. This one
> would still come under the shotgun category (duhh - too hard on fancy
> definitions) as there were multiple exploits loaded in a sequence of nested
> iframes.
>
> Best,
> Pukhraj
>
>
> On Sat, Nov 22, 2008 at 12:48 PM, Tarun Dua <tarundua at gmail.com> wrote:
> Hi Pukhraj,
>
> Thanks for your explanation. As I understand that a shotgun attack is
> the one where the attacking malware site attempts to exploit multiple
> vulnerabilities ranging from javascript to shockwave objects ?
> The url you referred lists out the type of malicious SQL injection
> request that will compromise an MS-SQL server( or can it compromise
> other any other database servers ) by updating the open table_cursors,
> thereby injecting javascript into resultsets which are being fetched
> by the web-pages which thus get written out into the webpages being
> served and execute a shotgun attack on endusers computers. Is my
> understanding correct.
>
> Thanks
> -Tarun
>
>
>
>
>
> On Sat, Nov 22, 2008 at 2:48 AM, Pukhraj Singh
> <pukhraj.singh at vikriya.com> wrote:
> > This is the second time I have heard of NDTV being compromised. The first
> > time it was compromised with the MPack exploitation toolkit.
> >
> > The infection via d0uhunqn-dot-cn is pretty old. It seems that website
> > remained compromised for a long time. Sad! It's a typical shotgun attack,
> > although the malicious links seem to be offline now. Couple of projects
> have
> > crawled through those malicious websites which have been mentioned in the
> > Google diagnostics page (CastleCops, Shadowserver, Symantec SafeWeb, et
> al).
> > Some of the exploits being served are old (from the Storm Worm days):
> >
> > http://carnal0wnage.blogspot.com/2008/08/cute.html
> >
> > Best,
> > Pukhraj
> >
> >
> > -----Original Message-----
> > From: owasp-delhi-bounces at lists.owasp.org
> > [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Tarun Dua
> > Sent: Friday, November 21, 2008 10:33 PM
> > To: owasp-delhi at lists.owasp.org
> > Subject: [Owasp-delhi] NDTV.com classified by google search as a possible
> > attack site serving malware
> >
> > See advisory here
> >
>
> http://www.google.com/safebrowsing/diagnostic?site=http://www.ndtv.com/conve
>
> > rgence/ndtv/videos.aspx&hl=en
> >
> > I couldn't see the malware sites mentioned on the advisory serving out
> > from ndtv.com anymore on my firebug console so I figure that these
> > vulnerabilities might have been gone from their site now. Does someone
> > has more information as to what happened here, was it their windows
> > servers that got compromised or XSS issues from the advertising or
> > user generated content served by them.
> >
> > Cheers!!
> > -Tarun
> > http://tarundua.net/google/ndtv/advisory
> > _______________________________________________
> > Owasp-delhi mailing list
> > Owasp-delhi at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> >
> >
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> ForwardSourceID:NT000100CE
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> ForwardSourceID:NT000019B2
> ForwardSourceID:NT000101A6
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
--
Puneet Mehta CISSP CISA CEH CPTS BS7799 LA
OWASP Delhi Board
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20081127/c275c835/attachment-0001.html
More information about the Owasp-delhi
mailing list