It's About Security
2007-2008 XSS NEWS

Implemented a few more stuff into kisview (some fixes, parse Windows anouncement packets, silently resolve IP addresses, …).

Black Hat Europe 2008 Media Archives are online. Worth checking out.

Wordpress 2.5 was released and it has a bunch of important security improvements.
Quoting from the release post:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

// Change SECRET_KEY to a unique phrase.  You won’t have to remember it later,
// so make it long and complicated.  You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

You need to set your SECRET_KEY from wp-config.php

$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.

That should solve a few problems. Nice work:)

Here is an interesting read: some guys are starting in the mailing/spamming business and they are telling their story step by step. Found this thread on the wickedfire forums. don’t want to refer the article directly, just go to wickedfire.

Here are a few excerpts from their “experience”:

okay, this thread will be about my journey into email marketing.

We bought
–5 user license from STEDB
–2 C-Blocks,3 servers, two mailers and 1 database server from Big Sky - we are colocating with them as well.
–a boatload of data from Eclipse
–500 domain names from Moniker (com’s and net’s)

SYSTEM UPDATE: our servers are up, we have gone through our initial training on STEDB, loaded our names, and started building out campaigns. We will be mailing campaigns starting tomorrow. In my next post, I will talk about our testing strategy (and hopefully get some feedback if it makes any sense!)

Our strategy is to send 250k emails out over a 5 day period to twenty different offers to begin our process of sorting winners that we will then mail out to our entire list. So, each day we are going to send 50K to each. In the next week, we will take the most profitable (top five probably) and get them mailed out to the entire list. One of the first challenges we have ran into is how to make sure that we do not over mail any one address. We have 11mm unique emails we are starting with, but there is a concern that we may not be getting the best distribution across our entire list.

Well, day 1 was complete. We send out only 1mm messages as we wanted to test out some various ads to see which one we would go with. (see previous post about our testing method). On first thought, I believe our sample size is too low. We went with 50K messages to the same offer over 5 days. Well, the clicks off 50K messages are so small that it is really to hard to make any true decisions on the sales side. So, we are going to up that to 500K per offer, test less offers.

Out of the gate we ran into some problems with our mail servers, which STEDB quickly fixed. It was exciting to see mail go out the door.

Our hard bounce rate wasn’t so bad, about 13%, which on review and discussion with others is great. Anything below 20% on a first mailing and you are clear.

the Soft bounce rate was a higher than we expected and all over the map. sometimes we would have 40K+ delivered in a 50K sample, other times we would only get 10K in (delivered can also mean junk folder).

The data we are going to look at tonight to prune the list is the ratio of opens, unsubs from our list, and click throughs. I will give a more detailed update at the end of the week.

Day 3, fun and games continue! We changed our strategy today, sending out 1M email to 4 offers. Tommorrow, we will send out 2M emails to 4 offers, and friday, we are going to try and push 2M email to one offer. So far, here is an example of what we are doing

(this one launched 12 hours ago)

To Send = 269000
Delivered = 155000
Defered =100000
Bounced = 14000
Opens = 662
Clicks = 167
Unsubs = 58
Sales = 2

These are general internet mailings, with using approved creative and sub lines from the affiliates (working with recos from azoogle, neverblue, copeac)

Now, the clicks are split 60/40 between the actual offer and the offer unsub link, in this case we only have about 96 folks who really looked at the deal.

I was really suprised at the total number of unsubs (ours + the offers) relative to the clicks. I thought it would be high, but in reality it is equal if not greater.

Obviously alot of those Delivered are getting in the junk folder instead. I am estimating in this case maybe only 20,000 of the the ToSend are actually in the inbox (going of an number of expecting 15 clicks per thousand delivered in the inbox).

So, we pushed out 1.7M emails today to one offer to get a sense for what larger numbers would produce. We pulled out comcast, att, rr, etc. so we where left with only small ISP and true general interent (so we thought).

I excluded rr.com in my email domains. Of course, road runner ends in that, but the whole domain is something very different! I did not think to ask about wild cards until that very moment! (STEDB does have wild cards, to exclude all rr.com ‘%rr.com’ will do it). Get your mistakes out of the way early!

We have finished setting up all the FBLs we can find, and will start pushing out Yahoo, AOL, etc. next week in LOW volume at first (around 500-1000 mails per ip / per ISP / per domain) around 220K to each one of them.

Our total click through is still not great. On the mailing this morning it looked like this:

to send = 1.77M
deffered = 600K (almost all road runner)
bounced ~170k (first mailing against this list segment, so happy with this)
delivered ~ 1M
Opened - 5300
clicked - 614 (split 50/50 between the offer and the offer unsub)
Unsub - 65

We got an email in our notprocess folder the past two days from a company that has blacklisted us. the message starts with

“Remain calm! Please read all of this message before acting.

We have received mail from your site that our system thinks is junk
mail, because it was sent to a `spambait’ address. We have therefore
made an entry for you in our blacklist for the offending system’s IP…”

Of course, they have whacked with the header so we cannot tell which email address is was. Fun! What investigative process do you use to find folks like this?

There were some interesting attacks in the past days. All of them are exploiting XSS (cross site scripting) vulnerabilities.
I’ve been discussing my colleagues about them and here is what I think is happening:

1. Some hacker(s) finds a bunch of vulnerable websites (that’s easy, there are a lot of vulnerable websites or if you are lazy just take them from here).

2. Prepare a list of URLs with XSSes included in the URL. Something like
http://www.somewebsite.com/vulnerablescript.php?q=some+popular+words+and+iframe+src=hackersite strong=""

3. Prepare a page with browser exploits or just old tricks (like a neverending popup storm - A common use will never figure out how to excape from it and at some point will get tired on clicking No/Cancel and just click Open)

4. Post the XSS URLs on a bunch of blogs (think Blogspot = Google) and wait for google to index them.

5. Profit (When users will search for your popular words, the indexed XSSes will appear in the search results). /iframe+src=hackersite

Pretty interesting usage of XSS.

More Background on XSSNews.com

XSSNews.com is a specialized website focused on web application security, with a particular emphasis on cross-site scripting (XSS) vulnerabilities. Since its inception in the late 2000s, the site has served as a resource for security professionals, developers, and enthusiasts seeking timely news, technical analysis, and insights about XSS and related web security topics. This article provides a detailed exploration of XSSNews.com, including its history, ownership, audience, content, reputation, and its broader significance within the cybersecurity landscape.

History and Background

XSSNews.com emerged during a period of increased awareness and concern about web application security. The early 2000s saw a dramatic rise in the discovery and exploitation of XSS vulnerabilities, which quickly became one of the most prevalent and damaging types of web application flaws. The site was created to document, analyze, and discuss developments in XSS, catering to a growing audience of security professionals and developers who needed up-to-date information and technical guidance.

Over the years, XSSNews.com has evolved into a recognized resource within the web security community. Its archives from the late 2000s are still referenced in technical literature and security research, reflecting its longstanding presence and influence in the field.

Ownership and Location

There is limited publicly available information regarding the ownership and organizational structure of XSSNews.com. The site appears to be independently operated, likely by one or more individuals with a strong interest and expertise in web application security. There is no indication of corporate backing or a large editorial team, which is typical for many specialized security resources. The site’s content and approach suggest a global perspective, addressing issues relevant to the international security community.

Content and Features

News and Analysis

XSSNews.com is known for its timely updates on newly discovered vulnerabilities, security incidents, and trends in web application security. Its posts often include:

• Technical breakdowns of XSS vulnerabilities

• Real-world attack examples and exploit techniques

• Discussions of mitigation strategies and best practices

Technical Resources

The site provides in-depth technical articles, including code samples, explanations of common pitfalls, and guidance on secure coding practices. These resources are valuable for both novice and experienced developers seeking to understand and prevent XSS vulnerabilities in their applications.

Community Engagement

XSSNews.com fosters discussion and knowledge sharing within the security community. Readers often engage through comments, sharing their own experiences, solutions, and insights related to XSS and web security.

Audience and Popularity

XSSNews.com’s primary audience consists of:

• Security professionals and researchers

• Web developers and engineers

• IT administrators

• Students and educators in cybersecurity

The site is frequently referenced in academic papers, technical blogs, and online forums, highlighting its reputation as a trusted source of information on XSS. Its popularity is driven by the quality and relevance of its content, as well as its focus on a critical area of web security.

Reputation and Reviews

Within the cybersecurity community, XSSNews.com is regarded as a reliable and authoritative resource. It is often cited in discussions about XSS vulnerabilities, both for its technical depth and its practical advice. Users appreciate the site’s clear explanations, real-world examples, and commitment to staying current with emerging threats and solutions.

Press and Media Coverage

XSSNews.com has been mentioned in various security blogs, technical articles, and industry reports. Its coverage of significant XSS incidents and trends has contributed to broader awareness and understanding of web application security issues. The site’s technical analyses are sometimes referenced by journalists and researchers reporting on major security events.

Cultural and Social Significance

The site plays an important role in the web security ecosystem by:

• Raising awareness about the risks and impact of XSS vulnerabilities

• Promoting secure coding practices and responsible disclosure

• Supporting the professional development of security practitioners and developers

XSSNews.com’s focus on technical accuracy and practical advice has helped shape the conversation around XSS and web application security, influencing both industry practices and academic research.

Technical Details and Insights

XSSNews.com’s articles often delve into the specifics of XSS vulnerabilities, including:

• How attackers exploit input validation and output encoding errors

• The importance of secure development frameworks and libraries

• Real-world case studies of XSS attacks and their consequences

The site also discusses related topics such as content security policies (CSP), browser security features, and the evolving landscape of web application threats.

Examples and Impact

Example 1: Developer Guidance

A developer seeking to secure a web application might consult XSSNews.com for best practices on input validation and output encoding, benefiting from the site’s clear explanations and sample code.

Example 2: Security Research

A security researcher investigating a new XSS vulnerability could reference XSSNews.com’s technical analyses to better understand attack vectors and mitigation strategies.

Comparison with Other Security Resources