I'm not really into Twitter, but I decide to see how hard it would be to write a command-line client. Net::Twitter made it easy at 13 lines.

http://spl0it.org/files/twitter.pl

Regards,
Jabra

I would like to clarify the impact of URL redirects in this posting. First put yourself in the shoes of an attacker with a specific organization as the target. So where to start? Well, first we need to decide if we are going to attack IPs or users. Since it is generally known that the People are always the weakest link in an environment, we will start there. Now we can use a few tricks to enumerate all the email addresses of the target organization. One common method is to use public GnuPG/PGP key servers and search for employees who have their public key listed on one of the key servers. If you're like me, you would just script this process already.

Another method is using web services to enumerate a listing of employees for the organization. There are tons of web services related to social networking in the corporate environment. My favorites for this task are Spoke and Linkedin. Once we have a listing of employees, we can determine the scheme that is used in building email addresses. One example is a combination of the first character of the first name and the last name:

Ex: Bob Smith -> bsmith@domain.com

Once we have the knowledge of a listing of employees, a domain (ARIN will give us this easily, if it isn't obvious) and the email scheme, we can build an email list for all the employee names we have gathered using some Perl.

((Reference: http://spl0it.org/blog/index.php?entry= ... 103-224033 ))

Now, that we have the email addresses, we can exploit their trust in a common website. I mean we could even send the user the link without any explanation at all, but it depends on how creative we want to be.

((Reference: http://spl0it.org/blog/index.php?entry= ... 012-200242 ))

This allows us to send the users to the attacker's server, where we can have something like Metasploit, BeEF or another form of client based attack payload waiting for them.

Here is a video of BeEF on Backtrack 3 that includes some of the basic attacks that can be used.

http://spl0it.org/files/vids/bt3-beef.avi

To sum this up, we have now have a method to attack an organization without even needing to perform a single external vulnerability scan.

Cross-Site Scripting is a great attack vector, when we know that the organization we are attacking is vulnerable. However, if we need to start attacking users and Cross Site Scripting isn't an option, we can just use a commonly mis-trusted website with a redirect vulnerability. We can even use xssed.com to look for vulnerabilities in websites the target organization may trust, perhaps their partner's website?

Regards,
Jabra

I have discussed the impact of URL redirects in a previous posting, and I'm really shocked of how easy it was to find numerous instances of redirects in common search engines.

I noticed the issue when a friend of mine posted a link on IRC of an image that he found using the image search on google. As a security professional I didn't see a normal link, all I saw was a URL redirect.

Ex: http://images.DOMAIN.com/search?imgref= ... ol_pic.jpg

Google is not the only site with this type of issue, other sites like yahoo, lycos and ask.com have similar issues.

http://images.google.com/imgres?imgurl= ... ://cnn.com
http://images.search.yahoo.com/images/v ... ://cnn.com
http://images.ask.com/fr?q=s&destur ... m&fm=i
http://search.lycos.com/image.php?tab=m ... ://cnn.com

RSnake made a post about redirects in Google back in 2006. One of his examples was the images.google.com link listed above. So I guess the real question is, if these companies know about the issues, why don't they fix them??

Surf with care!

Regards,
Jabra

Need to lookup a User Agent and get a description? There has been some discussion about User Agent DBs on the web app sec mailing list recently, so I decided to write up a quick Perl script to utilize an XML User Agent DB.

$ wget http://techpatterns.com/downloads/firef ... itcher.xml
$ perl ua_lookup.pl  "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Googlebot 2.1 (New version)
$ perl ua_lookup.pl  "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
Googlebot 2.1 (Older Version)
$ perl ua_lookup.pl  "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
Msnbot 1.0 (current version)
$ 

Code can be found at:

http://spl0it.org/files/ua_lookup.pl

You can also modify the code to use the URL instead of grabbing a local copy if you want.

As always, please let me know what you think.

Regards,
Jabra

After getting home from an awesome game, I was in the mood to write some more Perl! I found a few more things during the day that I wondered how I was able to go without writing them already. The first is intersection and the second is union. They do exactly what you think they do and keep things very simple, keeping with the UNIX way. "Do one thing, do it well!" Anyways, perhaps I'm just tired but I wasn't aware of a tool that provided the functionality I needed. Therefore, I did what I always do, rolled my own.

$ cat file1 
127.0.0.1
127.0.0.2
127.0.0.3
$ cat file2 
127.0.1.1
127.0.2.1
127.0.3.1
127.0.0.1
$ ./intersect file1 file2
127.0.0.1
$ ./union file1 file2 
127.0.0.1
127.0.0.2
127.0.0.3
127.0.1.1
127.0.2.1
127.0.3.1

The scripts can be found at:
http://spl0it.org/files/intersect.pl
http://spl0it.org/files/union.pl

Let me know what you think.

Regards,
Jabra