Vipul,
This group is indeed to help the community and such counter comments are
part of every discussion. Few of the posts might be of interest and few are
of least interest, after all every one is free to post his/her personal
views. We are moderating this list to intercept and stop any nasty post but
not blocking anyone's views. And most of the time such open comments are
found on security mailing lists be it full-disclosure or securityfocus that
work somewhat different than typical developer mailing lists, where
generally we find:
If ($post=="technical")
{
Reply() && Enjoy();
}
else
{
NULL;
}
You have already unsubscribed from this list but like I said, it is open and
free to all. So, as and when you like to rejoin, you are most welcome! You
might have automatically subscribed due to participation in some of the
OWASP meeting/conference.
Cheers!
Dhruv
_____
From: Vipul Gupta [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2008 11:25 AM
To: Puneet Mehta; [EMAIL PROTECTED]
Cc: [email protected]; Karthik Muthukrishnan
Subject: RE: [Owasp-delhi] XSS in IRCTC.
Instead of proving to be helpful, I am finding this list practicing to be
more biased and sarcastic. Instead of providing some breakthroughs or
knowledge sharing people here try to send personal comments that are of
least interest for this group.
I don't know how I got subscribed automatically to this list. Any ideas how
to unsubscribe from this group?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Puneet Mehta
Sent: Thursday, November 27, 2008 9:35 PM
To: [EMAIL PROTECTED]
Cc: [email protected]; Karthik Muthukrishnan
Subject: Re: [Owasp-delhi] XSS in IRCTC.
I am sure, they have people hired to ensure security of thier critical
application. The question is are these so called security professionals
competent to perform the job that they are hired for...????
[Vipul Gupta] I am not sure if we should comment on abilities of people so
sarcastically!
Or is it a quarterly automated pen test performed last time that apparently
missed to catch the jewel crown "XSS"..:-)
On Thu, Nov 27, 2008 at 9:13 PM, Soi, Dhruv <[EMAIL PROTECTED]> wrote:
If you think they would understand XSS, go ahead and report this issue. And
if you think otherwise, even the confirmation won't be of any use :-)
Be generic, call it a bug and report the issue without being worried about
software bug or XSS. If they offer some remuneration then no harm in going
ahead to confirm this one or may be finding more juicy stuff. I would prefer
to confirm vulnerabilities for our clients or some software products rather
offering free consulting services to irresponsible companies those deploy
insecure software and make their customers suffer...If you find any
vulnerability on the wild, no doubt report it in ethical way! But no reason
to spend time over it, where you don't have any personal or professional
interest!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karthik
Muthukrishnan
Sent: Tuesday, November 25, 2008 11:07 AM
To: Plash Chowdhary
Cc: [email protected]
Subject: Re: [Owasp-delhi] XSS in IRCTC.
Thanks for pointing out Plash.
It *seems* to be an exploitation. I didnt have enough time to analyze it,
so I was hoping that someone from owasp delhi would confirm whether it is
an exploitation or not. "Print this page" link didnt work - it just showed
an alert box. I would prefer to be reasonably sure that it is not a
programming issue.
What do other guys in the mailing list say? Report it right away or confirm
the issue and report it?
Plash
Chowdhary/DEL/TCS
To
11/25/2008 05:20 Karthik Muthukrishnan
AM <[EMAIL PROTECTED]>
cc
[email protected],
[EMAIL PROTECTED]
Subject
Re: [Owasp-delhi] XSS in IRCTC.
(Document link: Karthik
Muthukrishnan)
Karthik are you going for full disclosure here without including cert
India... its a govt site dude ; )
Regards,
Plash Chowdhary
Security Consultant,
Global Consulting Practice - IRM
Tata Consultancy Services
Ph:- +91-120-4398828
Buzz:- 4120286
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services
Business Solutions
Outsourcing
____________________________________________
Karthik Muthukrishnan
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
To
[EMAIL PROTECTED]
11/23/2008 11:36 PM sts.owasp.org
<http://sts.owasp.org/>
cc
Subject
[Owasp-delhi]
XSS in IRCTC.
IRCTC seems to have been exploited by an XSS vuln. After booking the
ticket, when you click on the print this page link, an alert ("hi")
appears. This is the status today morning. I didnt hav etime to analyze as
I had to rush to office. Will see if I can spend some time from office.
"Pukhraj Singh"
<[EMAIL PROTECTED]
om>
Sent by: To
[EMAIL PROTECTED] "Tarun Dua" <[EMAIL PROTECTED]>
s.owasp.org <http://s.owasp.org/>
cc
[email protected]
Subject
11/22/2008 08:29 PM Re: [Owasp-delhi] NDTV.com
classified by google search as a
possible attack site serving
malware
Tarun,
You are correct on that one; I missed mentioning that as the exploit seemed
too trivial for my attention.
When I went through the blog entry, my focus immediately jumped to the
subsequent iframes which were being launched (the ones mentioned after the
line: "launches several iframes that launch several other attacks. very
nice. I'll let you pull down that code.") and the subsequent malware it was
trying to load. I was really keen to pull them down and see if they got
something juicy.
Loosely speaking, a shotgun attack is not bound to a definition, unlike say
buffer overflows, as you may better understand; it was just a term created
by my team at Symantec to make the life and explanations easier. This one
would still come under the shotgun category (duhh - too hard on fancy
definitions) as there were multiple exploits loaded in a sequence of nested
iframes.
Best,
Pukhraj
On Sat, Nov 22, 2008 at 12:48 PM, Tarun Dua <[EMAIL PROTECTED]> wrote:
Hi Pukhraj,
Thanks for your explanation. As I understand that a shotgun attack is
the one where the attacking malware site attempts to exploit multiple
vulnerabilities ranging from javascript to shockwave objects ?
The url you referred lists out the type of malicious SQL injection
request that will compromise an MS-SQL server( or can it compromise
other any other database servers ) by updating the open table_cursors,
thereby injecting javascript into resultsets which are being fetched
by the web-pages which thus get written out into the webpages being
served and execute a shotgun attack on endusers computers. Is my
understanding correct.
Thanks
-Tarun
On Sat, Nov 22, 2008 at 2:48 AM, Pukhraj Singh
<[EMAIL PROTECTED]> wrote:
> This is the second time I have heard of NDTV being compromised. The first
> time it was compromised with the MPack exploitation toolkit.
>
> The infection via d0uhunqn-dot-cn is pretty old. It seems that website
> remained compromised for a long time. Sad! It's a typical shotgun attack,
> although the malicious links seem to be offline now. Couple of projects
have
> crawled through those malicious websites which have been mentioned in the
> Google diagnostics page (CastleCops, Shadowserver, Symantec SafeWeb, et
al).
> Some of the exploits being served are old (from the Storm Worm days):
>
> http://carnal0wnage.blogspot.com/2008/08/cute.html
>
> Best,
> Pukhraj
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tarun Dua
> Sent: Friday, November 21, 2008 10:33 PM
> To: [email protected]
> Subject: [Owasp-delhi] NDTV.com classified by google search as a possible
> attack site serving malware
>
> See advisory here
>
http://www.google.com/safebrowsing/diagnostic?site=http://www.ndtv.com/conve
> rgence/ndtv/videos.aspx&hl=en
>
> I couldn't see the malware sites mentioned on the advisory serving out
> from ndtv.com <http://ndtv.com/> anymore on my firebug console so I
figure that these
> vulnerabilities might have been gone from their site now. Does someone
> has more information as to what happened here, was it their windows
> servers that got compromised or XSS issues from the advertising or
> user generated content served by them.
>
> Cheers!!
> -Tarun
> http://tarundua.net/google/ndtv/advisory
> _______________________________________________
> Owasp-delhi mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
ForwardSourceID:NT000100CE
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
ForwardSourceID:NT000019B2
ForwardSourceID:NT000101A6
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
--
Puneet Mehta CISSP CISA CEH CPTS BS7799 LA
OWASP Delhi Board
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
_____
NOTE: This message may contain information that is confidential,
proprietary, privileged or otherwise protected by law. The message is
intended solely for the named addressee. If received in error, please
destroy and notify the sender. Any use of this email is prohibited when
received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the
communication is free of errors, virus, interception or interference.
Impetus is the winner of the Economic Times Intel Smart Workplace Awards
2008 and the CNBC emerging India 2008. Visit www.impetus.com for details.
_______________________________________________
Owasp-delhi mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-delhi
