Comments for Prominent Security

Comment on ProminentDork 1.0, automating web security auditing using Google dorks by Amanda

Amanda — Sat, 29 May 2010 13:22:11 +0000

I wish i could speak computer. FML.

Comment on Facebook Delete Friends CSRF Flaw by Amanda

Amanda — Sat, 29 May 2010 13:21:26 +0000

Thats my son in that video.

Comment on Facebook Delete Friends CSRF Flaw by xdemo

xdemo — Sat, 22 May 2010 18:32:13 +0000

thanks for the interesting post.
pretty basic flaw for a site such as facebook to have… they just seem to keep coming and coming lately.

also like to say, nice blog! i’ve bookmarked it and i’ll come back regularly if i can remember ;p

Comment on Facebook Delete Friends CSRF Flaw by t3st

t3st — Sat, 22 May 2010 07:10:42 +0000

Thank you for infomation

However, how can I know if the vulnerability has been fixed ?

Comment on Comcast DNS Hijacking and Web Security by Leo Charre

Leo Charre — Tue, 11 May 2010 15:59:23 +0000

This *must* be a marketing/redtape type of people major screwup- I’m sure the I.T. staff realize that hijacking http is insane. I hope they get the nuts to grab management by the collar and ‘explain’ to them they have to stop doing this.

Comment on Lockerz.com, and the importance of data validation. by Steve

Steve — Wed, 28 Oct 2009 23:41:33 +0000

It depends how the hashing function is implemented. Say for example we know they are using the popular MD5 hashing algorithm, we still don’t know what other data they are adding to the score value or in what way they are manipulating the pre-existing data prior to hashing it. We can try different things such as concatenating the other information passed with the hash to the end of the score value, or even appending the UNIX time-stamp of the time the request was made to the end of the score value and then comparing it to the hash generated. But in the end, the hash is generated server side and anything can be done or added to the data privately prior to it being hashed by the public hashing algorithm. This makes it almost impossible to figure out. This type of hash is known as a salted hash and is quite common in request validation since it is very simple to implement. So, unless we find out what other data is being hashed along with the score, or in what way that data is being manipulated prior to being hashed, there is nothing we can do in an attempt to mimic the hashed score and send it off to the server.

Comment on Lockerz.com, and the importance of data validation. by Anonymous

Anonymous — Wed, 28 Oct 2009 12:57:15 +0000

But what if the hashing function is known? Would it be possible to generate a new hash that suits us after tampering with the score in headers? Please respond.

Comment on Comcast DNS Hijacking and Web Security by Lockerz Invitation

Lockerz Invitation — Mon, 12 Oct 2009 17:18:38 +0000

cool cool

Comment on Comcast DNS Hijacking and Web Security by julieeee

julieeee — Fri, 25 Sep 2009 00:53:31 +0000

This seems rather intruiging.

Comment on Comcast DNS Hijacking and Web Security by Giedrius Trumpickas

Giedrius Trumpickas — Tue, 18 Aug 2009 13:05:10 +0000

Issue https://login.comcast.net/login?pf_sp=%3E%22%3E%3Cscript%20%3Ealert%28%22XSSed%22%29%3B%3C/script%3E was fixed