How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook

ShareThis

Yahoo messenger can get into yahoo chat, but in reality, it’s a seperate service…

Yahoo Messenger’s server has a Buffer, this buffer is actually 128k not the 512k.

When the attacker sends multiple packets to you, what you don’t get from the server gets stored in a buffer, in comes a chat packet, the client grabs it, in comes 5 chat packets, you grab the first 3 packets, 2 are left behind on yahoo’s server, you then grab the 2 packets and then the buffer is back to empty.

Actually the booter sends 1k’s worth in 1 packet of PM (instant messaging packets) but instead of sending the 1 packet, the booter builds up 10 pm/im packets.

Then you send it to yahoo 10 loops packets of PMs @ 1k each = 80k in 1 load to yahoo then the booter sends it again, 160k.

Now if you can send 128k’s worth of data, pm packets, chat packets, anything you like to the other user BEFORE the user can get the data out, yahoo will simply disconnect them over 128k why?

Most Probably because the server is instructed to disconnect idle users or users who are no longer online, what’s the point of Keeping someone in yahoo chat if they are not getting the data people are sending them, after 40 minutes of a client sending data yahoo goes, we’ve buffered 128k, the user aint there, kick him…!

In Short, Yahoo Messenger Would Crash if it got anything more than 128k.

Also the connection protocols YMSG and Chat2 which is also a factor. YChat was harder to boot for the simple fact that it lacked in features compared to YMSG.
This is also why YMSG is easier to boot then Chat2. The more features the more ways you can be booted.

Yes there are ways to prevent from being booted…..!

ShareThis

1] You need bots ID (100 to 1000 might be enough). Therefore you need to create ID bots using Manual way just like you create Yahoo Id or use Yahoo Messenger ID Creator aka ID Maker. usually, the bots ID stored in notepad aka txt file with a format ID and password like this:
BotIDd:Password
BotID2:Password
BotID3:Passowrd
etc.. (upto 1000-10000 id bots)

2] You need Yahoo Boot Software that work properly.

3] Load you BotID in Yahoo Boot Software by selecting stored BotID in txt file and load in Yahoo Boot Program.

4] Select the Type of your Boot Option

5] Select / Type Target aka Victim Username or Yahoo ID

6] Final steps. Boot him! Done.

For better understanding, here I found Youtube Video tutorial how to boot in Yahoo Messenger.

Note: The ID maker used in the video above is not work anymore. You must find newest working ID boot and also Yahoo boot.

ShareThis

Sitemeter, one of the best traffic counter for websites/blogs, it shows online users, Referrals (From where people coming to your site), country locations, browser etc etc.. all in detail.

This counter is visible to all visitors.
Invisible Counters (Tracker) is available for Premium Accounts Only…!

But you can easily hack to hide it.
Its just few setting changes which will work fine.

1) Login into your sitemeter account.
2) Go to ‘Manager’ from top menu.
3) Go to ‘Meter Style’ option from left hand menu.
4) Select 2nd last meter style (Counter, which shows simple numbers).
5) Now in “DIGIT COLOR” select ‘Transparent’, Similarly in “BACKGROUND COLOR” select ‘Transparent’.
6) DONE.

Now your sitemeter counter is invisible from normal eyes in your site
Place it anywhere in your website/blog, and track your traffic, users.

Enjoy…..!

ShareThis

Microsoft’s Error Reporting in windows sometimes is disturbing, most of us don’t want to send that error report because it’s of no use.
There’s an easy way to disable Microsoft error report in windows.

Disable Microsoft Error report in Windows XP :
1) Open Control Panel (Start > Control Panel)
2) Open the Problem Reports & Solutions applet Under advanced options and disable error reporting.

Disable Microsoft Error report in Windows Vista :
1) Right click on my computer (Desktop) and click properties
2) Click the Advanced Tab
3) You’ll see a “Error reporting” button at the bottom, click it
4) Select Disable Error Reporting.

And you’re done….!

ShareThis