It's About Security
2007-2008 XSS NEWS

Implemented a few more stuff into kisview (some fixes, parse Windows anouncement packets, silently resolve IP addresses, …).

Black Hat Europe 2008 Media Archives are online. Worth checking out.

Wordpress 2.5 was released and it has a bunch of important security improvements.
Quoting from the release post:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

// Change SECRET_KEY to a unique phrase.  You won’t have to remember it later,
// so make it long and complicated.  You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

You need to set your SECRET_KEY from wp-config.php

$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.

That should solve a few problems. Nice work:)

Here is an interesting read: some guys are starting in the mailing/spamming business and they are telling their story step by step. Found this thread on the wickedfire forums. don’t want to refer the article directly, just go to wickedfire.

Here are a few excerpts from their “experience”:

okay, this thread will be about my journey into email marketing.

We bought
–5 user license from STEDB
–2 C-Blocks,3 servers, two mailers and 1 database server from Big Sky - we are colocating with them as well.
–a boatload of data from Eclipse
–500 domain names from Moniker (com’s and net’s)

SYSTEM UPDATE: our servers are up, we have gone through our initial training on STEDB, loaded our names, and started building out campaigns. We will be mailing campaigns starting tomorrow. In my next post, I will talk about our testing strategy (and hopefully get some feedback if it makes any sense!)

Our strategy is to send 250k emails out over a 5 day period to twenty different offers to begin our process of sorting winners that we will then mail out to our entire list. So, each day we are going to send 50K to each. In the next week, we will take the most profitable (top five probably) and get them mailed out to the entire list. One of the first challenges we have ran into is how to make sure that we do not over mail any one address. We have 11mm unique emails we are starting with, but there is a concern that we may not be getting the best distribution across our entire list.

Well, day 1 was complete. We send out only 1mm messages as we wanted to test out some various ads to see which one we would go with. (see previous post about our testing method). On first thought, I believe our sample size is too low. We went with 50K messages to the same offer over 5 days. Well, the clicks off 50K messages are so small that it is really to hard to make any true decisions on the sales side. So, we are going to up that to 500K per offer, test less offers.

Out of the gate we ran into some problems with our mail servers, which STEDB quickly fixed. It was exciting to see mail go out the door.

Our hard bounce rate wasn’t so bad, about 13%, which on review and discussion with others is great. Anything below 20% on a first mailing and you are clear.

the Soft bounce rate was a higher than we expected and all over the map. sometimes we would have 40K+ delivered in a 50K sample, other times we would only get 10K in (delivered can also mean junk folder).

The data we are going to look at tonight to prune the list is the ratio of opens, unsubs from our list, and click throughs. I will give a more detailed update at the end of the week.

Day 3, fun and games continue! We changed our strategy today, sending out 1M email to 4 offers. Tommorrow, we will send out 2M emails to 4 offers, and friday, we are going to try and push 2M email to one offer. So far, here is an example of what we are doing

(this one launched 12 hours ago)

To Send = 269000
Delivered = 155000
Defered =100000
Bounced = 14000
Opens = 662
Clicks = 167
Unsubs = 58
Sales = 2

These are general internet mailings, with using approved creative and sub lines from the affiliates (working with recos from azoogle, neverblue, copeac)

Now, the clicks are split 60/40 between the actual offer and the offer unsub link, in this case we only have about 96 folks who really looked at the deal.

I was really suprised at the total number of unsubs (ours + the offers) relative to the clicks. I thought it would be high, but in reality it is equal if not greater.

Obviously alot of those Delivered are getting in the junk folder instead. I am estimating in this case maybe only 20,000 of the the ToSend are actually in the inbox (going of an number of expecting 15 clicks per thousand delivered in the inbox).

So, we pushed out 1.7M emails today to one offer to get a sense for what larger numbers would produce. We pulled out comcast, att, rr, etc. so we where left with only small ISP and true general interent (so we thought).

I excluded rr.com in my email domains. Of course, road runner ends in that, but the whole domain is something very different! I did not think to ask about wild cards until that very moment! (STEDB does have wild cards, to exclude all rr.com ‘%rr.com’ will do it). Get your mistakes out of the way early!

We have finished setting up all the FBLs we can find, and will start pushing out Yahoo, AOL, etc. next week in LOW volume at first (around 500-1000 mails per ip / per ISP / per domain) around 220K to each one of them.

Our total click through is still not great. On the mailing this morning it looked like this:

to send = 1.77M
deffered = 600K (almost all road runner)
bounced ~170k (first mailing against this list segment, so happy with this)
delivered ~ 1M
Opened - 5300
clicked - 614 (split 50/50 between the offer and the offer unsub)
Unsub - 65

We got an email in our notprocess folder the past two days from a company that has blacklisted us. the message starts with

“Remain calm! Please read all of this message before acting.

We have received mail from your site that our system thinks is junk
mail, because it was sent to a `spambait’ address. We have therefore
made an entry for you in our blacklist for the offending system’s IP…”

Of course, they have whacked with the header so we cannot tell which email address is was. Fun! What investigative process do you use to find folks like this?

There were some interesting attacks in the past days. All of them are exploiting XSS (cross site scripting) vulnerabilities.
I’ve been discussing my colleagues about them and here is what I think is happening:

1. Some hacker(s) finds a bunch of vulnerable websites (that’s easy, there are a lot of vulnerable websites or if you are lazy just take them from here).

2. Prepare a list of URLs with XSSes included in the URL. Something like
http://www.somewebsite.com/vulnerablescript.php?q=some+popular+words+and+iframe+src=hackersite strong=""

3. Prepare a page with browser exploits or just old tricks (like a neverending popup storm - A common use will never figure out how to excape from it and at some point will get tired on clicking No/Cancel and just click Open)

4. Post the XSS URLs on a bunch of blogs (think Blogspot = Google) and wait for google to index them.

5. Profit (When users will search for your popular words, the indexed XSSes will appear in the search results). /iframe+src=hackersite

Pretty interesting usage of XSS.