With reading for tomorrow on honeynets and next Tueday on Stuxnet.

So I was visiting a website that I frequent pretty often to download recordings (non-copyright, legal fyi) and check the latest posts on the forum (link not included for security). Then recently, I searched for a recording and noticed that the search entry was displayed on the page:

Well, are you thinking what I’m thinking?

I decided to enter a :
<script> alert(“H@CKED”) </script>
and sure enough

This page rank 5 website was indeed vulnerable to cross site scripting.
To test what inputs could be put in I decided to see if standard html would display correctly, perhaps a paypal buy now button?

And to get rid of the ” in Track’s Title…”, one could just put in a <!– to comment it out:

What’s even worse is that the search entry is made via a GET in the URL.

Now this is a big problem. An attacker just needs to craft a URL and get some one to click on to potentially:

• Convince them that they can donate to the website, when they are really donating to the attacker
• Steal account login via javascript, which is a particular problem given that the forum has over 8000 users

The best way to deal with this problem would be to sanitize inputs or display them as text, escaping from the html

In order to deal with this ethically, the administrator of the website will be contacted and informed. A public
announcement will be made 30 days after informing the administrator if no change is made.

In case anybody wants to read the legalese, I’m attaching the contract that you’ll be agreeing to abide by for our next project. Fortify Educational License Agreement_360

In the past week, you might have noticed a new Wireless network available around Rice campus: JONES_WINS_AGAIN (a favorite cheer of my college, Jones).

This wireless network was created as part of a jack for Willy Week. When I first saw it, I wasn’t sure what had happened – my first thought was that members of another college had created a local wireless network at Jones College in an effort to gain user data and credentials of Jones students who would foolishly connect to a wireless network named in their honor. This would be highly unethical, and so of course this wasn’t the case. Rather, the JONES_WINS_AGAIN wireless network was being broadcast from every Rice Access Point on campus and acted identical to the Rice Visitor network.

So how did we do it? Did a member of Jones manage to hack into Rice Wireless? Sorta. Thanks to the Associate Program at Rice, Rice’s Senior Network Architect Danny Eaton is proudly associated with Jones College, and he was able to execute this “attack” because of his admin status. He created a new network, gave it a SSID of “JONES_WINS_AGAIN” and gave it all the same security settings as the Rice Visitor network. Once set up, the Access Points around campus would broadcast it.

This doesn’t mean people will use it though. Most computers have already been configured to automatically connect to Rice Owls or Rice Visitor, so you’d have to know to connect to this new network. Additionally, I’m sure some people had the same initial thought as I about the mysterious network – that it was somehow malicious. In talking with Danny Eaton, I learned some usage statistics of the network. As I’m writing this, ~35 people are connected to the JONES_WINS_AGAIN (as compared to the ~3500 users currently connected to Rice Owls). It has been active for the past week, and at the network’s peak, it had 55 users connected. So it didn’t exactly make much of an impact, but it is an interesting (and simple) attack none the less.