Posted by admin on Jan 1, 2010 in
Today's News 
Google's New Year
Well Its now 2010 and the countdown clock on Google’s I’m Feeling Lucky site is displaying fireworks
Happy New Year Every One.
The URL for I’m feeling lucky is
http://www.google.co.uk/search?&btnI=3564&q=
Just type anything you want at the end of the query (q) parameter to be taken there by Google.
So how could this be used?
Well how about a simple Rick Roll
http://www.google.co.uk/search?&btnI=3564&q=Rick Astley Video
Lets change those words as they look too obvious.
Just a tiny bit of URL Encoding and we’re done 
http://www.google.co.uk/search?&btnI=3564&q=%52%69%63%6b%20%41%73%74%6c%65%79%20%56%69%64%65%6f
Yep Looks like a normal Google Link to me. How many people would know that the above URL would get them Rick Rolled?
Well how about I now go out and buy myself I nice IDN Domain which looks exactly like Google.Com but no matter what you type in I return all pay-per-click ads (remeber the site would look exactly like Google.com).
I’m sure you now get the idea that just because someone posts a google link and it could even be a Real Google Link like I used above in my examples, it doesn’t mean that you are not going to get sent to a virus site or a site you did not intend to visit.
BeSafe and Once again Happy New Year
Google Fireworks
Posted by admin on Dec 14, 2009 in
Today's News 
New Google Easter Egg - Feeling Lucky
Well it seems that Google has placed an new easter egg on its main site for UK searches.
If you click on the I’m Feeling Lucky Button you will be taken to a count down clock.
There was a lot of speculation about what the countdown timer meant.
But it seems quite obvious that it is the New Year Count Down Clock. (Nice Touch).
In the past they have had other strange Easter eggs (Aliens /Crop Circles, Infinite Loops and the famous Konami Code)
All good fun and its nice to break up the monotony of carrying out tons of searches.
If you’ve found any interesting east eggs in any of the major search engines then fee free to post below in the comments.
Posted by admin on Feb 24, 2009 in
Today's News 
Directory Browsing
Background Story
Sir Alan Stanford who is believed to be involved in one of the biggest banking frauds has been found by FBI Agents in America.
It was originally thought that he was hiding out in the Caribbean.
The fraud has global issues for not only the main Stanford Bank but also all of his other corporations and those who have invested in him. There has been a “Run” on the bank in the past couple of days as investors have sought toattempt to get at their cash.
BBC News Link
Site = SIB DIRECT
Defect Found = Open Directory Browsing
Time Taken to find from arriving at homepage = about 10 minutes.
As always Site Admins notified.
Now as this is an online bank I decided to hold the post back a few days. Its now 00:40am 20th Feb 2009 and I’ll keep the post on hold for 5 days for them to fix the issue.
It should just be a quick 5 minute fix, but as we all know even a 5 minute code fix still can take a day or two to test. For me its the deploys to the Test, Staging and then Production environments and not the actual Testing of code that takes the time in issues like this.
***************EDIT***************
Even after the 5 days, which is the length of time the post was delayed for the issue is not resolved. I’ve also not heard back from anyone at Stanford.
***************EDIT N02 - 25th Feb 2008 ***************
The Receivers have been called in and the links are no longer working
which is a good thing for security of the users but a bad thing, as they
have most likely lost their deposits.
Posted by admin on Feb 13, 2009 in
Today's News 
Nasty Man
Not a nice guy.
(Even so I’ve still notified the Site Admin in question)
Background story.
He’s a right-wing Dutch MP who has made a very one sided mockumentary about Muslims and how he thinks that the Qur’an only preaches death and killing. I’m not religious at all, however I do know that virtually any person can take the text from any religious doctrine and use that text to prove any point they may wish to make.
He was invited to the UK by some other right-wing MPs (UKIP Party) and he was thankfully turned down by our government on the grounds that they deemed him to a person who spreads race hate.
This lead to a welcome debate of the validity of freedom of speech.
BBC New Link
Site = http://www.geertwilders.nl
Defect Found = Open Log and Stats File
Time Taken to find from arriving at homepage = about 32 minutes.
This was a hard one due to his site using off the shelf secure software (Mambo I think) and also using Google for all searching which meant I knew XSS was a no go from the start. I then looked for subdomains and although I found many all were 401’s. I tried a few other things and then just when I thought that this site would beat me I gave a quick check of common directories and came up with “TMP” I then looked for common file names and came up with “log.txt” and hence the site error.
Remember that the reason for the “Today’s News” section is to attempt to prove that virtually all sites out there have some error in them of some kind that affects either the websites security, usability or maybe a business logic flaw.
some people may think that this is low hanging fruit type stuff and they may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Posted by admin on Feb 11, 2009 in
Testing,
Today's News,
WebAppSec,
XSS I’ve decided to do a new piece called Today’s News,
What I’ll do is take a quick look on the Television news stations to work out what is the top news story and then I’ll give the website of the company or organisation a quick test. I’ll also state how long it too me to find the issue.
The site will be notified of course and I’ll update the blog post with any updates and responses from the site admin.
This will most likely be based on a Web Application Security (WebAppSec) test. I’ll leave out all of the 404’s and orphaned links etc.
Today’s major story was that the head of the FSA and a close advisor to Gordon Brown resigned.
FSA
http://news.bbc.co.uk/1/hi/business/7883409.stm
Site = http://www.fsa.gov.uk/
Defect Found =XSS
Time Taken to find from arriving at homepage = 3minutes and 12 seconds.
Now some people may think that this is low hanging fruit type stuff and you may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.
Tags: Testing, Today's News, WebAppSec, XSS