Dl21.org - News

Now it's time for Twitter

2010-03-10T09:08:34+01:00

As you may have noticed here through our partner website news, a 17-years old promoted his own website (StalkDaily) through a JS worm that infected several profiles in the Twitter network.

The author released a short interview for BNO News where he claims the responsability for the worm activity and explain few things.

Some updates

2010-03-10T09:08:34+01:00

The XSS Cheats section has been just lightly updated with a couple of new features included you can now:
• Use the "export list" function which permits you to get the whole list of published XSS vectors submittes by the users, useful for fuzzing for example,
• You can now test with the "Test it!" link each vector in the page and check how it acts towards a real XSS vulnerability.

Enjoy and have fun!
and Merry (late) Christmas and Happy new Year! ;-)

New Orkut Worm unleashed

2010-03-10T09:08:34+01:00

Following the announcement by our partner XSSed you can find at this URL we decided to upload the JS sources provided by the same XSSed website to our XSS Worms database and is now available for you at the relative page:
XSS Worms

Keep up the good work!

Advisories Submissions

2010-03-10T09:08:34+01:00

I wanted to remind everyone that submission of websites' vulnerabilities will be rejected since they are not in-line with our publishing policies: we ONLY accept advisories concerning Applications flaws such as CMS, Forums, Wikis and every WebApp that is public and released.

If you want to notice a vulnerability in a specific website you can submit your discover to our partner's website: www.dl21.org.

Thank you for your comprehension.

Seride 0.2 out!

2010-03-10T09:08:34+01:00

A new version of Seride (SEssion RIding DEfender), a PHP library for CSRF prevention, as been released and hit the 0.2 status point.

This new version introduces several new features and fixes stated in the CHANGELOG file as following:
* Fixed the creation of the log file avoiding not setted variables and generalizing the Session Username to an no-specified var.
* Added the possibility to choose the method of error reporting (standard/custom message/custom file).
* Changed the standard error output's look.
* Added the possibility to choose if page generation and the request should be aborted or not.
* Added the possibility to choose to print or not the error message.
* The log file now saves the HTTP Referer and the HTTP User Agent too.

You can find additional infos on the project and the download link at the following address:
http://projects.playhack.net/project.php?id=3

Dl21 uses Seride for his own hijacking protection too.

Justin.TV affected by XSS Worm

2010-03-10T09:08:34+01:00

TheDefaced.org team contacted our partner XSSed.com to communicate their last discovered vulnerability in the well-known Justin.TV broadcasting website and have released a JavaScript Worm that is presented by DL21 in our XSS Worms section.

Here's a statement from XSSed news about the discovery:
"As of 'Sat, 28 Jun 2008 21:52:33 GMT' - An XSS worm was released on this website, this was and is meant only for research purposes. It was successfully executed and lasted roughly around 24 hours.
We have recorded such records making it possible for us to create graphical images graphing the progress of this XSS worm as it infected each profile upon the last being viewed.
The XSS Vulnerability was discovered and fixed during 'Sun, 29 Jun 2008 21:12:21 GMT', with an after mass of 2525 profiles."

You can find the Worm source code at this address:
http://worms.xssing.com/sources/justintv.txt

And all the details on XSSed.com news item:
http://www.xssed.com/news/75/Justin.tv_non-malicious_cross-site_scripting_worm/

PunBB Security Update

2010-03-10T09:08:34+01:00

Today a new vulnerability advisorie on PunBB Password Change and Cross Site Scripting has been published.

As you may know our Forum is using that Bulletin Board and in order to keep the data safe we already updated the software to the latest patched version 1.2.17, which solved this and other security issues affecting the previous versions.

The Cascading Style Sheet files will be restored within today, but if you notice any malfunctioning feel free to contact us.

Routers Hacking Challenge

2010-03-10T09:08:34+01:00

Gnuciticen is organizing a Routers Hacking Challenge open to everyone interested in joining it!

It simply consists in a very flexible challenge where anyone can submit their discoveries about their own home Routers security flaws: Buffer overflow, XSS, CSRF.. everything is allowed!
Stress up your own home device and find as much vulnerabilities as you can, write them down and submit everything to the project page at this address: visit.
The most interesting and effective ones will be involved in media coverage and several researches about it.

Have fun!

PHP Bypass Testing Page

2010-03-10T09:08:34+01:00

For your interest i made a simple page that you can disfrut in order to try if your own vectors are able to bypass the most common PHP html encoding functions such as htmlspecialchars, htmlentities and strip_tags: the input will be parsed through this function and printed on the page as it is.

You can reach the page at this address: bypass.dl21.org.
You can discuss your results on the forum, enjoy!

New Seride major release

2010-03-10T09:08:34+01:00

Nexus released the new version of Seride PHP Library (updated to 0.1.1).
It's available for the download at this link: download.
With the new features addition, Seride reached a stable release that provide a more professional and complete solution for CSRF preventing needs.