Re: [Full-disclosure] Selling Exploit on Deep Web

of being shit based > on it's lack of interesting information when obviously hacktalk is a plethora > of information, expertise and semen samples. > > > On Fri, Dec 21, 2012 at 2:44 PM, Luis Santana wrote: > Lulz? Sorry bro but uh, the main page runs SMF not WeBid so I'

Re: [Full-disclosure] Selling Exploit on Deep Web

uot;test"); > $result = array_merge($array1, $array2); > print_r($result); > ?> > Array > ( > [color] => test > ) > > So as we can overwrite any array value, we have SQLi across the application. > Maybe a first 0day for hacktalk.net? > > I will tak

Re: [Full-disclosure] Selling Exploit on Deep Web

Hella l33t bro, you can read an email address. Much propz On Dec 21, 2012, at 3:22 AM, Benji wrote: > in other news, have you heard of the super cool site hacktalk.net where they > almost have 1000 members? > > > On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana wrote: > No

Re: [Full-disclosure] Selling Exploit on Deep Web

Not a single fucking exploit on the entire site. gg sir, gg On Dec 10, 2012, at 2:17 PM, tig3rh...@tormail.org wrote: > In Deep Web has created a new online site a few days ago that allows you > to sell even exploits, malware, etc. etc.. > The site works like Ebay so everything is auctioned. >

Re: [Full-disclosure] posting xss notifications in sites vs software packages

Typically if you are in the US, are testing a server in the US owned by a company headquartered in the US it is legal to find Reflective XSS so long as you don't crash any services. Crashing any services can be seen as a DoS attack and then you are screwed. Moreover if you crash a service and cost

Re: [Full-disclosure] posting xss notifications in sites vs software packages

Typically you will run into instances where a website is employing a custom CMS/plugin/module/whatever and as such there may not be a specific software to call out as the one at fault. It's like finding an XSS in Microsoft, 99% chance they are running their own custom CMS so at that point you are

Re: [Full-disclosure] Vulnerability-lab.com XSS

So today I was threatened with legal action by Rem0ve of the Vulnerability-Lab crew after talking with X4lt (who is MUCH more pleasant to speak with btw). Apparently due to the fact that I don't want to remove my blog post about it Rem0ve got a bit upset. Apparently freedom of speech isn't importan

[Full-disclosure] Vulnerability-lab.com XSS

Earlier today I tried to contact the people over at http://vulnerability-lab.com about an XSS vulnerability I found on their site (ironic) but it appears they want nothing to do with me. Praise Full-Disclosure. [image: Vulnerability-lab.com XSS - HackTalk Security] h

Re: [Full-disclosure] Google open redirect

As for minimal risk I personally don't agree. I have leveraged Unvalidated URL Redirections in the past to attack clients of sites all the time. It's highly trivial to point to a site with a metasploit browser bug patiently waiting and amass quite a large number of sessions in a short period of tim