Jasonified Tech Blog

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

A security hole found by Matthew T allows any person the view the photos of any myspace profile, even if it is on private.

All you have to do is type in the url below, then replace the x’s with the friend id of the profile you want to view.

http://www.myspace.com/services/media/photosXML.ashx?friendid=xxxxxxxx

Then, copy the file url and paste it into a new window.

Here is a bookmarklet to simplify the process, just drag the link below to your bookmark toolbar.

View Photos

OctalMage

Buy Jason a cup of coffee.

Have you ever wondered how Google gets sites indexed that you have to pay for? You click the link with the perfect answer to your question, but you have to pay for it. In this article I will show you a hole many of these sites open to get their site indexed by google. Note, this is only an educational article and nothing else.

If you look at it, the only thing thats separating me from a googlebot, is my user agent string. Well as far as the website is concerned.

“When you visit a Web page, your browser sends the user-agent string to the server hosting the site that you’re visiting. This string indicates which browser you’re using, its version number, and details about your system, such as operating system and version. The Web server can use this information to provide content that is tailored for your specific browser.” Taken from msdn.

So, all you should have to do is, send them a modified user agent string right? But it can’t be that easy can it?

Well, it is that easy, and this is how to do it.

Firefox users, just install this extension, then restart your browser. Then when you restart, import this file (right click and save) that has a huge list of user agent settings including Googlebot/2.1 and many other spiders/bots. To import, just click tools in your toolbar, then user agent switcher…

Then options, and options again.

Now a options window should come up. Click Useragents.

When you click import, it will ask you for a file and just select the one you downloaded from above.

Now if you go back to tools->user agent switcher, you should see a ton of different agents. Just select one then bam, thats what you become. To check it, go here and look under useragent to see what it thinks you are.

If you are using a browser other than firefox, refer here to find out how to do this

Thats all you have to do. Isn’t that sad? These pay sites open a very big hole just because they want free advertising on google. I guess thats the price they pay for getting greedy.

If you have a pay site and you want to advertise on google, use adwords. With the money you are making on your site, you can afford it. I would hate for you to have all the good content that you are losing money on because people are getting in for free.

OctalMage

Edit: and its back

Buy Jason a cup of coffee.

XSS(Cross-site scripting) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. This has been a very big problem recently as more people know how to find and exploit it. In this post I will show you how to see if your web app has this vulnerability and how you can fix it.
In this tutorial I am using Flock(firefox), Greasemonkey, and WhiteAcid’s XSS assistant.

If you have any trouble installing greasemonkey, click here.

When you install the XSS assistant or greasemonkey, by default they are both off. So first we need to turn them on.

Now you should see the little xss button above the input.

Click it.

Now select XSS Locater from the second drop down box.

Then hit apply.

The page will get really weird and look something like this.

This means you did it correctly. The xss locater puts in all kinds of crazy things to see if it can trick the page. When you hit submit it places it in all the inputs on the page.

So now if we hit search it should bring up the google search. As you can see google does a very good job of parsing the bad stuff out. If this was successful then we would of seen an alert that said xss.

I did a little googling and found a website that didn’t do so good.

When I tried this test on this website. I saw the alert box.

I know what your thinking, “What bad can a pop-up do.” Well thats not the bad part. Now, you can easily put in a iframe that will cover the whole page, and basicly phish the information you want, but on their domain. Mabey now you can see why this is a big problem.

To prevent this from happening, I use the code located here. I, as well as many others, have tried every thing on this test, and haven’t been able to break it yet. So I think this is pretty safe.

Happy Hacking,

OctalMage

Buy Jason a cup of coffee.