Pages:
Author

Topic: narayan - attempted code injection - page 2. (Read 6604 times)

legendary
Activity: 1708
Merit: 1020
August 16, 2013, 01:52:42 PM
#17
He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Are you saying you actually put up a link to that scammers website?
hero member
Activity: 767
Merit: 500
August 16, 2013, 12:51:50 PM
#16
To protect against this, I think it's certainly worth putting ads in iframes on a different origin - e.g. bitcointalkusercontent.org

Will
administrator
Activity: 5222
Merit: 13032
August 16, 2013, 11:48:19 AM
#15
LOL, thanks!
donator
Activity: 1419
Merit: 1015
August 16, 2013, 10:26:07 AM
#14
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.

On this topic, I remember a while back there was an image loading exploit that IE had a few years back, but it was wholly unreliable as an exploit till someone figured out they could use CSS to heap-spray just prior to the image load, thus making it work every time. I forget all the details, but yeah, CSS (or at least the way IE handles it) is far from perfectly safe.

That said, they really only should be able to load things under the user's credentials, but on a Windows box that's typically "good enough" to do some damage.
legendary
Activity: 858
Merit: 1000
August 16, 2013, 09:41:13 AM
#13
I wonder what he would have put there...
legendary
Activity: 1792
Merit: 1008
/dev/null
August 16, 2013, 09:10:28 AM
#12
mad skiddys Smiley
legendary
Activity: 1652
Merit: 1128
August 16, 2013, 03:52:33 AM
#11
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Wink

Somebody sounds mad.
legendary
Activity: 1511
Merit: 1072
quack
August 16, 2013, 02:22:26 AM
#10
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Wink

Whoa, they always return with this same "you busted me, now I will ddos you!!!". Do some legit stuff.. Pays better Smiley
staff
Activity: 4284
Merit: 8808
August 16, 2013, 02:08:30 AM
#9
I'd suggest that you also implement some protections just in case something clever get past your eyes.

beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you.

I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
donator
Activity: 1218
Merit: 1015
August 16, 2013, 02:02:36 AM
#8
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Wink
Jesus, that guy plays a lot of dice.

ETA @ deleted post: lol, yeah - I bet you just RELAYED them. Cheesy
member
Activity: 98
Merit: 10
I do not sell Bitcoins. I sell SHA256(SHA256()).
August 16, 2013, 01:59:41 AM
#7
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Wink
administrator
Activity: 5222
Merit: 13032
August 16, 2013, 01:46:59 AM
#6
He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now.

Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...

They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.)

HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way.
legendary
Activity: 1764
Merit: 1000
August 16, 2013, 01:40:03 AM
#5
Off to my next account Wink

just out of curiosity, do you break even as a semi-professional scammer with little to no success?
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
August 16, 2013, 01:32:53 AM
#4
Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
donator
Activity: 1419
Merit: 1015
August 16, 2013, 01:31:52 AM
#3
Quite embarrassing.

Good catch.
member
Activity: 98
Merit: 10
I do not sell Bitcoins. I sell SHA256(SHA256()).
August 16, 2013, 01:31:44 AM
#2
Off to my next account Wink
administrator
Activity: 5222
Merit: 13032
August 16, 2013, 01:15:49 AM
#1
Here's an ad that was sent to me:

Sent to the address!

Here is my CSS code:

Code:
.minefieldadm {width:620px;height:40px;overflow:hidden;font-family:Verdana;font-size:14px;border:1px solid #000;display:inline-block;background: #a3d802;  background: -moz-linear-gradient(top, #a3d802 0%, #11a301 3%, #8ac916 6%, #f0b7a1 34%, #8c3310 50%, #752201 93%, #bf6e4e 98%);  background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#a3d802), color-stop(3%,#11a301), color-stop(6%,#8ac916), color-stop(34%,#f0b7a1), color-stop(50%,#8c3310), color-stop(93%,#752201), color-stop(98%,#bf6e4e));  background: -webkit-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  background: -o-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);background: -ms-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  background: linear-gradient(to bottom, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);  filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a3d802', endColorstr='#bf6e4e',GradientType=0 );}
.minefieldshader {font-size: 155%;color: #FFFFFF;text-shadow: 0px 0px 8px rgba(0, 0, 0, 1);background: #b4e391;  background: -moz-linear-gradient(45deg, #b4e391 0%, #149b51 22%, #75e01d 27%, #369b14 62%, #5cdb1c 69%, #5cdb1c 86%, #b4e391 100%);  background: -webkit-gradient(linear, left bottom, right top, color-stop(0%,#b4e391), color-stop(22%,#149b51), color-stop(27%,#75e01d), color-stop(62%,#369b14), color-stop(69%,#5cdb1c), color-stop(86%,#5cdb1c), color-stop(100%,#b4e391));background: -webkit-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);  background: -o-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);}