The Dark Arts: Cross Site Scripting

In 2011, a group of hackers known as Lulzsec went on a two month rampage hacking into dozens of websites including those owned by FOX, PBS, the FBI, Sony and many others. The group was eventually caught and questioned in how they were able to pull off so many hacks. It would be revealed that none of the hackers actually knew each other in real life. They didn’t even know each other’s real names. They only spoke in secluded chat rooms tucked away in a dark corner of the internet and knew each other by their  aliases – [tFlow], [Sabu], [Topiary], [Kayla], to name a few. Each had their own special skill, and when combined together they were a very effective team of hackers.

It was found that they used 3 primary methods of cracking into websites – SQL injection, cross-site scripting and remote file inclusion. We gave a basic overview of how a SQL injection attack works in the previous article of this series. In this article we’re going to do the same with cross-site scripting, or XSS for short. SQL injection has been called the biggest vulnerability in the history of mankind from a potential data loss perspective. Cross-site scripting comes in as a close second. Let’s take a look at how it works.

XSS Scenario

Let us suppose that you wanted to sell an Arduino on your favorite buy-and-sell auction website. The first thing to do would be to log into the server. During this process,  a cookie from that server would be stored on your computer. Anytime you load the website in your browser, it will send that cookie along with your HTTP request to the server, letting it know that it was you and saving you from having to log in every time you visit. It is this cookie that will become the target of our attack.

You would then open up some type of window that would allow you to type in a description of your Arduino that potential buyers could read. Let’s imagine you say something like:

Arduino Uno in perfect condition. New in Box. $15 plus shipping.

You would save your description and it would be stored on a database in the server. So far, there is nothing out of the ordinary or suspicious about our scenario at all. But let’s take a look at what happens when a potential buyer logs into the server. They’re in need of an Arduino and see your ad that you just posted. What does their browser see when they load your post?

Arduino Uno in perfect condition. <b>New in Box</b>. $15 plus shipping.

Whether you realize it or not, you just ran HTML code (in the form of the bold tags) on their computer, albeit harmless code that does what both the buyer and seller want – to highlight a specific selling point of the product. But what other code can you run? Can you run code that might do something the buyer surely does not want? Code that will run on any and every computer that loads the post? Not only should you be able to see where we’re going with this, you should also be able to see the scope of the problem and just how dangerous it can be.

Now let us imagine a Lulzsec hacker is out scoping for some much needed lulz. He runs across your post and nearly instantly recognizes that you were able to run HTML code on his computer. He then makes a selling ad on the website:

Lot of 25 Raspberry Pi Zeros - New in Box - < script src="" ></script> - $100, free shipping.

Now as soon as someone opens up the hacker’s ad, the script section will load up the malicious off-site code and steal the victim’s session cookie. Normally, only the website specified in a cookie has access to that cookie. Here, since the malicious code was served from the auction website’s server, the victim’s browser has no problem with sending the auction website’s cookie. Now the hacker can load the cookie into his browser to impersonate the victim, allowing the hacker access to everything his victim has access to.

Endless Opportunities

With a little imagination, you can see just how far you can reach with a cross-site scripting attack. You can envision a more targeted attack with a hacker trying to get inside a large company like Intel by exploiting a flawed competition entry process. The hacker visits the Intel Edison competition entry page and sees that he can run code in the application submission form. He knows someone on the Intel intranet will likely read his application and guesses it will be done via a browser. His XSS attack will run as soon as his entry is opened by the unsuspecting Intel employee.

This kind of attack can be run in any user input that allows containing code to be executed on another computer. Take a comment box for instance. Type in some type of < script >evil</script> into a comment box and it will load on every computer that loads that page. [Samy Kamkar] used a similar technique to pull off his famous Myspace worm as we talked about in the beginning of the previous article in this series. XSS, at one time, could even have been done with images.

Preventing XSS attacks

As with SQLi based attacks, almost all website developers in this day and age are aware of XSS and take active measures to prevent it. One prevention is validating input. Trying to run JavaScript in most applications where you should not be will not only give you an error, but will likely flag your account as being up to no good.


One thing you can do to protect yourself from such an attack is to use what is known as a sandboxed browser. This keeps code that runs in a browser in a “box” and keeps the rest of your computer safe. Most modern browsers have this technology built in. A more drastic step would be to disable JavaScript entirely from running on your computer.

There are people here that are far more knowledgeable than I on these type of hacking techniques. It was my hope to give the average hardware hacker a basic understanding of XSS and how it works. We welcome comments from those with a more advanced knowledge of cross-site scripting and other website hacking techniques that would help to deepen everyone’s understanding of these important subjects.


XSS Flash animation 1

XSS Flash animation 2

The Dark Arts: SQL Injection and Secure Passwords

As the year of 2005 was drawing to a close, a website known as Myspace was basking in popularity. With millions of users, the site was the most popular social networking site in the world. It was unique in that it let users use HTML code to customize their Myspace page. Most of us, c’mon…admit it….had a Myspace page. The coding part was fun! But not everything was changeable with code. You could only upload up to 12 images and the Relationship Status drop-down menu only had a few options to choose from. These limitations did not sit well with [Samy Kamkar], a 19 year old hacker out of Los Angeles.


It didn’t take [Samy] long to figure out how to trick the site to let him upload more images and change his relationship status to a customized “in a hot relationship”. After hoodwinking the Myspace site with some simple hacks, he realized he could do just about anything he wanted to with it. And this is where things get interesting. It took just over a week to develop a script that would force people who visited his page to add him as a friend. But that wasn’t enough. He then programmed the script to copy itself onto the visitor’s page. [Samy] had developed a self-propagating worm.

The script went live as [Samy] went to bed. He woke up the next morning with 200 friends requests. An hour later the number had doubled. [Samy] got worried and sent an anonymous email to the webmaster warning of the worm. It was ignored. By 1:30PM that day, he had over 6,000 friends request. And like any good hacker worth his weight in floppy drives, his sense of humor had him program the script to also add his name to each visitor’s Heroes List. This angered many people, who deleted him from their page, only to get reinfected moments later when they visited another (infected) page.

[Samy’s] script was raging out of control.  As the evening closed in, his friends count had reached 919,664. It would top the 1 million mark just before Myspace took their servers offline to figure out what was going on. Two hours later, the site was back up. [Samy’s] profile page had been deleted.

[Samy] had used a technique known as cross-site scripting (XSS) to pull off his hack. We’ll touch on XSS in a later article. For now, we’re going to stick to the basics – proper passwords and SQL Injection.

Continue reading “The Dark Arts: SQL Injection and Secure Passwords”

The Dark Arts: Meet the LulzSec Hackers

It’s difficult to say if [Aaron Barr], then CEO of software security company HBGary Federal, was in his right mind when he targeted the notorious hacking group known as Anonymous. He was trying to correlate Facebook and IRC activity to reveal the identities of the group’s key figures. In the shadowy world of black-hat hacking, getting your true identity revealed is known as getting doxed, and is something every hacker fears. Going after such a well-known group would be sure to get his struggling company some needed publicity. It would also have the most unfortunate side effect of getting the hacking groups attention as well.

Aaron Barr

Perhaps [Aaron Barr] expected Anonymous to come after him…maybe he even welcomed the confrontation. After all, he was an ‘expert’ in software security. He ran his own security company. His CTO [Greg Hoglund] wrote a book about rootkits and maintained the website that boasted over 80 thousand registered users. Surely he could manage a few annoying attacks from a couple of teenage script kiddies playing on their parent’s computer. It would have been impossible for him to know how wrong he was.

It took the handful of hackers less that 24 hours to take complete control over the HBGary Federal website and databases. They also seized [Barr’s] Facebook, Twitter, Yahoo and even his World of Warcraft account. They replaced the HBGary Federal homepage with this declaration – with a link to a torrent file containing some 50,000 emails resting ominously at the bottom. At the same time, they were able to use social engineering techniques to SSH into the site and delete its entire contents.

It became clear that these handful of Anonymous hackers were good. Very good. This article will focus on the core of the HBGary hackers that would go on to form the elite LulzSec group. Future articles in this new and exciting Dark Arts series will focus on some of the various hacking techniques they used. Techniques including SQL injection, cross-site scripting, remote file inclusion and many others. We will keep our focus on how these techniques work and how they can be thwarted with better security practices.

LulzSec – For the Lulz

jake_davisName: Jake Davis

Alias: Topiary

Age at Arrest: 18

Hometown: Shetland Islands, Scotland

Role: Spokesperson


[Jake Davis] – aka [Topiary] – might have been the least technically skilled of the group, but he made up for it in his ability with words. He was by far the most articulate of the group and commanded the official LulzSec Twitter feed, where he taunted the group’s victims and appeased their ever-growing fan base. [Topiary] goes back to the days of Anonymous and its origin on the popular image board 4chan. Being articulate and quick-witted, he was exceptionally good at doing prank calls while streaming them live to eager fans. His talent did not go unrecognized and the role of “mouthpiece” for Anonymous was his for the taking. Whenever a home page was defaced and replaced with an official Anonymous message, he was the author. The hacked HBGary homepage linked above was [Topiary’s] work.

Lest we leave you with the impression that [Topiary] was not a hacker, he learned a great deal of technical skills during his involvement with Anonymous and later Lulzsec. When he was arrested at his home on the Shetland Islands, he had 17 virtual machines running on an encrypted drive. His last tweet before his arrest – “You cannot arrest an idea”.


Name: Mustafa Al-Bassammustaffa al massam

Alias: Tflow

Age at Arrest: 16

Hometown: London, England

Role: Highly skilled coder


[Mustafa Al-Bassam] – aka [Tflow] – was a bit socially awkward, but you would have never known it based on his demeanor in the secluded chat rooms of the Lulzsec hackers. Cool, calm and collected, [Tflow] never got involved with the many arguments that took place. The ability to check his emotions combined with advanced coding skills led his fellow hackers to believe he was much older than he really was. [Pwnsauce], another Lulzsec member whom we will not cover due to lack of information, believed he was at least 30 years old.

It was [Tflow] who first shed light on [Aaron Barr’s] plans to dox the Anonymous “leaders”. It was [Tflow] who wrote an advanced piece of code that allowed the citizens of Tunisia to get past their government’s ISP restrictions during the Arab Spring and post on social media. Let that sink in for a minute…a 16-year-old teenager had empowered an entire nation of people with a PHP script. [The Jester], a hacker who commanded a massive bot-net, once tried to hoodwink [Tflow] and his fellow hackers with a malicious script. [Tflow] took the script, reduced it from a few dozen lines to only two lines without limiting functionality, and sent it back to [The Jester] with the following note: Try this instead.



Name: Ryan Ackroyd

Alias: Kayla

Age at Arrest: 24

Hometown: South Yorkshire, England

Role: Server Penetration


[Ryan Ackroyd] was big into computer video games as a teen. He liked hacking them and hung out online with other like-minded people. A girl by the name of [Kayla] joined their circle of friends and [Ryan] enjoyed her company. A rival video game hacking group tried to hack [Ryan’s] group, and targeted the weakest link – 16-year-old [Kayla]. They destroyed her social networks and even got into her parent’s bank account. [Ryan] and his friends were furious. They all went after their rival, using the alias [Kayla] in her honor. Their retribution was so devastating that “Kayla” earned a reputation across this particular corner of the internet as someone not to cross. Over the years, the group fell apart, but [Ryan] remained and kept the alias of a 16 year old girl named [Kayla] who shouldn’t be messed with.

It was [Kayla] who socially engineered her way into It was [Kayla] who discovered the SQL injection insecurity on the HBGary Federal website. She later wrote a program that scanned URLs many times per second looking for zero days. She’s a self-taught reverse engineer and was arguably the most skilled hacker on the Lulzsec team. She even had a trip wire in her apartment that wiped all hard drives when the police entered, and was branded by the courts as “highly forensically aware”. That’s legalese for “This guy knows his stuff”. She has some wise words in this reddit thread.


hector_monsegurName: Hector Monsegur

Alias: Sabu

Age at Arrest: 28

Hometown: New York City

Role: Leader & Skilled Hacker


[Hector Monsegur] – aka [Sabu] – was the oldest and most mature of the Lulzsec hackers. He was the recognized leader of the group. He drove daily operations and squashed arguments. He was also a very skilled hacker himself, coming from a background of hacking government websites in his native Puerto Rico. [Sabu] was a hactivist, and believed in hacking for a social cause, while many of his team were still beholden to their 4chan/b/ days of hacking “for the lulz”. [Sabu] was not only a hacker of computers, he was a hacker of people, and highly skilled in the art of social engineering. Using his skills, he was able to steer LulzSec in the direction he wanted it to go.

[Sabu] was the first of the LulzSec hackers to get doxxed. When he was confronted by the FBI with a 100+ year prison sentence, he could not bear the idea of his kids growing up without him and turned informant. He has only recently returned to twitter, much to the annoyance of Anonymous.

Now What?

You have met the core of the LulzSec hackers. There are two more that we did not talk about due to lack of information: [Pwnsauce] and [AVUnit]. As of today, no one knows the true identity of [AVUnit]. It’s possible there are even more that we don’t know about. However, it is generally recognized that the hackers covered here were the core members.

Now that we know a little bit about the people behind some of the most remarkable hacks of modern times, we will go into detail about how they were able to carry these hacks out. If you’re looking for a “How to Hack a Website 101” tutorial, this series of articles will disappoint you. But if you want to know how these former hackers were able to do what they did, you will find this series quite enjoyable. We’re not just going to talk about the various techniques used, we’re going to understand how they work on a fundamental level. So stay tuned and keep your virtual machines on standby.



We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency, by Parmy Olsen. ISBN-978-0316213523

Physical Security for Desktop Computers

There’s a truism in the security circles that says physical security is security. It doesn’t matter how many bits you’ve encrypted your password with, which elliptic curve you’ve used in your algorithm, or if you use a fingerprint, retina scan, or face print for a second factor of authentication. If someone has physical access to a device, all these protections are just road bumps in the way of getting your data. Physical access to a machine means all that data is out in the open, and until now there’s nothing you could do to stop it.

This week at Black Hat Europe, Design-Shift introduced ORWL, a computer that provides the physical security to all the data sitting on your computer.

The first line of protection for the data stuffed into the ORWL is unique key fob radio. This electronic key fob is simply a means of authentication for the ORWL – without it, ORWL simply stays in its sleep mode. If the user walks away from the computer, the USB ports are shut down, and the HDMI output is disabled. While this isn’t a revolutionary feature – something like this can be installed on any computer – that’s not the biggest trick ORWL has up its sleeve.

ORWL2The big draw to the ORWL is a ‘honeycomb mesh’ that completely covers every square inch of circuit board. This honeycomb mesh is simply a bit of plastic that screws on to the ORWL PCB and connects dozens of electronic traces embedded in this board to a secure microcontroller. If these traces are broken – either through taking the honeycomb shell off or by breaking it wide open, the digital keys that unlock the computer are erased.

The ORWL specs are what you would expect from a bare-bones desktop computer: Intel Skylake mobile processors, Intel graphics, a choice of 4 or 8GB of RAM, 64 to 512GB SSD. WiFi, two USB C ports, and an HDMI port provide all the connections to the outside world.

While this isn’t a computer for everyone, and it may not even a very large deployment, it is an interesting challenge. Physical security rules over all, and it would be very interesting to see what sort of attack can be performed on the ORWL to extract all the data hidden away behind an electronic mesh. Short of breaking the digital key hidden on a key fob, the best attack might just be desoldering the chips for the SSD and transplanting them into a platform more amenable to reading them.

In any event, ORWL is an interesting device if only for being one of the few desktop computers to tackle the problem of physical security. As with any computer, if you have physical access to a device, you have access to all the data on the device; we just don’t know how to get the data off one of these tiny computers.

Video below.

Continue reading “Physical Security for Desktop Computers”

Tales from the Hackaday “tip line”

surprisingly accurate portrayal of Caleb

Lets just start right off and acknowledge that the word “Hack” is in our site name. We all see it. It is right there, in plain English. However, anyone who spends more than a few nanoseconds looking down below that big name, will quickly see that the kind of hacking we do is more like McGyver and less like Operation Swordfish.

This exceedingly obvious point is missed by many, many people. We get tons of requests coming in for various acts of hackery. They range from nonsense gibberish to flagrant lies. Yeah, sure you forgot your password and the recovery system isn’t working. Oh they stole your website but you can’t prove that you’re the owner? Hrm, you want to be a master hacker and are seeking our guidance on how to steal money?

Join me after the break for a few actual examples.

Continue reading “Tales from the Hackaday “tip line””

Smartphone anti-virus software


With DEFCON and Black Hat going on, a lot of security issues are being made public. This year, cellphones have been a larger target than before. More and more people are carrying complex smartphones that have more ways to go wrong. Even worse, since phones are tied to a billed account, it is possible for malicious software to charge phones discreetly. However, Flexilis promises to keep your phone safe. It’s a free mobile anti-virus that works on most smartphones and PDAs with more clients in the works. It also provides easy backup and recovery options, as well as the ability to wipe the phone if it’s lost. The phone makers really need to fix the probelms, but in the meantime Flexilis can provide a quick response.

[via WSJ Digits]

Defcon 17: Badge details released


Defcon is upon us once again, and that can only mean one thing: new badge designs. Our friends over at Wired posted the picture above along with a description of this year’s new badge. Since our last post, there has been little new information released regarding the components used for the new badge. However, we now know that it utilizes a microphone and a full color LED along with the Freescale mc56f8006, an advanced digital signal processing microcontroller. [Grand], the badge designer, told Wired that while this year’s design is a bit simplified compared to last year’s design, it is not nearly as easy to hack. Just like last year, the functionality of the badge hasn’t been announced yet. We’re hoping for some kind of communicator. Be sure to check out Wired’s article if you want to see the high res pictures.