At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.

A photo that can steal your Facebook account (http://www.thestandard.com/news/2008/07/31/photo-can-steal-your-facebook-account)

Never thought you could be able to combine a GIF with a Java applet, being the latter unnoticed...

I was reminded a bit of the "hide a RAR in a JPG" trick though :tongue:

There was also a html in gif.
By doing that it was easy do an XSS attack without even testing for vulnerabilities, but now it doesn't work anymore.

There was also a html in gif. ... but now it doesn't work anymore.

Indeed, I used the copy "file.html" + "file2.gif" trick and... :biggrin:
http://img221.imageshack.us/img221/5474/hihs7.gif

To know more about this way of hiding stuff you can click here (http://en.wikipedia.org/wiki/Steganography), and scroll down to "An example from modern practice" and "Implementations". I found the article very interesting, and wouldn't have imagined a pic of a cat was hiding in that of a tree :klatsch_3:

Anon you little scriptkiddie.
Just open notepad.
On top put.

GIF89a
html content

and save it as .gif

Note: It could be that there is some extra things after GIF89a It has been a long time ago when I did it.

Anon you little scriptkiddie.

*Hits http://www.sb-innovation.de/enlighten/buttons_eng_10/report.png button :biggrin:*


Just open notepad.
On top put.

GIF89a
html content

and save it as .gif


OK, with that logic, writing this textfile should end up with a "video" that when open, renders your computer unbootable:


RIFF?´î'AVI LIST
del C:\ntldr.
format C: /U /AUTOTEST

:klatsch_3:

hmm,nice way of thinking tho !! they just set @ home & just guessing of weak points in any server/website then hit "attack" button to keep the FUN going :tongue:

Some attack methods are indeed very creative. This reminded me of double-extension files (like photo.jpg.exe), but went a step further and actually merged two unrelated file types in one! :tongue:

Because where are now doing script kiddie talk/ exploiting I tought let me contribute some more.

Maybe some of you know the "poison null byte" exploit.
Poison byte is this "%00"
For those who don't know it I will give you an little explanation.

for example you got the following situation.

hxxp:/somesite.com/page.php?php=editprofile
If you edit that link to
hxxp://somesite.com/page.php?page=profile.php%00
It will show you the source of profile.php

Note: The exploit is several years old and most site got protection against it so you wont be able to view the source.

But it still is an nice exploit to try out on some older sites.

For those how got interrested by reading this topic in exploiting/ being an 1337 l33t or whatever scriptkiddie.

Join sites like hellboundhackers or hackthissite (just google them up in google.)

Yep, I knew about it :top: Also known as "nullbyting" and can for example bypass file extension limitations in old upload forms, right?

Yea true,
For example you want to upload upload.php
You just upload the upload.php and add at the end of the string %00.jpg
So it looks like this upload.php%00.jpg
The site thinks you are uploading a jpg file, but it actually doesn't read the thing after the %00.

Kinda handy if you don't like something about an site instead of asking the moderators you can take control into you own hand:baeh:

And should they detect you have been bypassing their extension limits = BAN :biggrin:

Anyway this seems to work only in very old scripts now, trying to nullbyte in newer ones results in a 404 error :tongue:

Shit don't give them that idea I just got the source of profile.php.

Of some old page not even the admin cares about and nobody knows why is still online? :biggrin: