'HACKLAMER'

Well, two blokes decided to create a new service which made it possible for people to digitally send invoices. Ok, nice, thanks for telling me, I really don't care. If I need something I'll google it. Don't email me with fancy links that register if a spam email was succesful. I don't like that. Sooo here we go again..

The email contained links to their service, however inside the link my email address was stored. So they want to know if they should send me more email? or maybe to see how many of the emails they sent succesfully pulled the users to their website.. anyway I decided to see if the site was secure .. and after some testing I concluded the normal approach didn't work that well.. they clearly took care of the most common vulnerabilities.. So I had to think outside the box and thought, what do they do with the email addresses they register.. Right it has to show up somewhere.. most likely they made a fancy interface for it! Woo And they probably never thought of escaping that .. so I injected: ?id=<script>window.location='http://www.mywebsite.nl'</script>

And guess what, within 20 minutes of the injection I got an email from one of the dudes telling me that my "failed" hack attempt has been reported to the police..

In what way did it fail. It might not have executed the script but the result was exactly the same. He payed a visit to our website. Thank you, come again!

Of course you can understand I analyzed his email and IP address it came from, I made the mistake of not getting the IP's behind a proxy. Yup he used a proxy to send me an email. Chicken!

Oh and he blocked my IP for every one of his sites! brr...

Here's what he sent: (dutch)

Berichtveld: We zullen aangifte doen van uw (mislukte) hack poging op onze website.

30-03-2009 17:27 - HACKLAMER (x.x.x.x): Viewing demo (\')
30-03-2009 17:32 - HACKLAMER (x.x.x.x): Viewing demo (window.location=\'http://www.mywebsite.nl\')
30-03-2009 17:33 - HACKLAMER (x.x.x.x): (window.location=\'http://www.mywebsite.nl\')
Telefoonveld:

IP adres: 194.109.22.147
Taal geselecteerd: Nederlands
Tijd: 17:42 - 30 Mar 2009

The ip will resolve in xs4all.nl proxy.

He was nice enough to report the log which indicates he uses a self made system, since I don't know any tool that will call someone a 'hack lamer'. Anyway the tool strips tags .. Now that is not save my friend. I wonder if:

<scr<script>IPT>window.location='http://www.mywebsite.nl'</SCR</script>IP>

would have worked. Since strip_tags() would be kind enough to concatenate the script tags for me.. To bad the quotes are being escaped. Something lame like <plain<plaintext>text> would have been annoying in that case being tagged: 'hack lamer' would suit ;)

But I'm not there to break things just to notify people!