Internet Security Systems - AlertCon(TM)

CLPWN

Posted by Gunter Ollmann on August 15, 2007 at 3:01 PM EDT.

Looks like XSS-4-fun is back in vogue, not that it ever disappeared…

This morning I stumbled across the home site of that “notorious blackhat hacker team known only as CLPWN”.

The fun site has been pointing out several cross-site scripting vulnerabilities in sites such as Playboy Casino, CNN International, USA Today and ABC11 Eyewitness News, and it looks like quite a few ‘whitehats’ are taking it all a bit too seriously (which promotes even more amusement on the site).

Not that any of the techniques are new, in fact I publicly did the same kind of thing back in March 2002 with my Microsoft Says “Linux is the future” article injected in to a popular news site of the day (it’s about three-quarters down the page on my HTML code injection and cross-site scripting paper) – so I’m hardly in a position to lambast the clowns :-)

You’ve just got to love statements like we “… should accept that while the previous models of ‘unix’, ‘root’ and ‘off-by-one reverse bindspray heap evasion’ were very impressive for their time, they no longer apply in the new elite blackhat hackers world of cross-web domain rejacking and automated fuzz phishing denials.”  I guess we only have ourselves to blame for the nonsensical names we come up for new attacks.

Let’s hope that some of these 'victims' notice the flaws in their online applications – it’s not that difficult to fix or protect against!

In the meantime, check out the site and have a chuckle.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.