made me feel blue…

Two years ago I decided to get a personal site. I was after two things: flexibility and low cost. I didn’t want to get a VPS but I also didn’t want the hosting packages of one domain and 350MB of space. So I found a shared hosting provider that was giving me unlimited hosted sites, unlimited databases, unlimited bandwidth and unlimited disk space for about 35 euros for a year… that in my book was a great deal! So I went ahead and bought it. In that year I was generally happy with them. My pages where occasionally a bit slow but still fast enough for my sites’ needs. The problem was that the 35 euro price was an introductory price and the next year IPage asked me for triple that amount… Since I didn’t feel like that was a good thing (now that you are a customer we’ll suck you dry) I decided to look elsewhere. A colleague at work recommended Bluehost offered me the same things as IPage plus SSH access for about 50 euros per year. I went for that and I was quite happy…. until this week… Continue reading

Posted in Miscellanea | 19 Comments

Stored XSS on Statcounter!!!

Stored XSS on popular Web statistics framework Statcounter. Log yourselves out of Statcounter and if possible disable JavaScript for the domain (possible in Chrome, not sure about Firefox)…  Will give more details when Statcounter fixes it. The only reason I am saying it here is because my Statcounter logs just started popping alert boxes!

Posted in Miscellanea | Leave a comment

What do you call?

Joke I just made up:

What do you call a woman who first says to you “I love you” but ten minutes later she adds “I actually don’t, but don’t feel bad because I say that to all men”?

Continue reading

Posted in Miscellanea | Leave a comment

Firefox and Self-XSS

I still remember the good old days when I would just write “javascript:alert(document.cookie)” in my address bar and the browser would happily show me the JavaScript-accessible cookie values for the current domain. These were simpler days…

Mid-2011 the developers of Firefox decided that allowing the “javascript” directive in the URL bar was being abused by attackers to conduct self-XSS attacks more than it was being used for legitimate purposes. If you are not familiar with self-XSS fear not… they are quite easy to explain. Continue reading

Posted in Breaking stuff | 4 Comments

If he was good enough…

Standford's Course on AI

Since the beginning of October I’ve been following the online AI course from Standford, taught by Sebastian Thrun and Peter Norvig. In the last two months, I’ve given up a great part of my free time to look at videos, do quizzes, read clarifications on the AI page on Reddit and complete assignments. I will not say it was not worth it. It definitely was. I’ve
learned so much and I already have ideas on how to use Artificial Intelligence (specifically Machine Learning) in my own field (Computer Security).

Last night, I noticed a link on the course website that lead me to a YouTube video
of the latest Google+ Hangout where two AI professors, along with Sal Khan, the founder
of Khan Academy and a handful of students from some universities in the US where talking about the future of education and how these new ways of teaching are “reinventing education”.

I was listening to their  discussion when the following comment by Prof. Thrun really jumped out of the page and hit me on the head…

Continue reading

Posted in Miscellanea | 5 Comments

Bypassing Chrome’s Anti-XSS filter

Its been a while since my last post so I decided to make it worthwhile :). I was recently checking a friend’s site for the classic Web application vulnerabilities, when I found a reflected XSS attack. While I was investigating the bug, I noticed that while the bug worked on Mozilla’s Firefox, it didn’t work on Google’s Chrome. As it turns out, Chrome uses an Anti-XSS filter, based on static analysis, which attempts to detect XSS. If it detects such an attempt, it filters out the injected code, and effectively stops the on-going attack.

In order to demonstrate this, I made a vulnerable page at This page simply reads two GET parameters, namely a and b, which it then prints out in the resulting page.

To show that injection is possible, I start by injecting some HTML which is indeed rendered as part of the HTML page.

Continue reading

Posted in Breaking stuff | 31 Comments

Write your own SSHD backdoor

This article is not written by me. I found it online, but only in one place so this is effectively a mirror for it. Enjoy 🙂

/************************************************** ***************************/
/* Tutorial: How to write a backdoor for OpenSSH. */
/* Date: June 29, 2005 */
/* Author: pikah ( */
/* Website: */
/* */

Continue reading

Posted in Uncategorized | Leave a comment

A peek in Google’s past with phpinfo()

You have to love phpinfo() . This simple PHP function prints out a truck-load of information regarding all kinds of configuration details of your Apache + PHP installation. It is very helpful to a Web administrator who is trying to debug his installations and also very “helpful” to attackers who can get a quite good peak of what
goes on inside your installation, such as:

  • PHP Version running on the machine (cough*exploits*cough)
  • Operating System
  • Paths to your Web applications
  • All modules installed

Continue reading

Posted in Miscellanea | Leave a comment

Security inconsistencies…

While I was in Eindhoven for OWASP BeNeLux 2010 I was at some point searching online for WikiLeaks posts regarding greek politics. I was checking the results from the first page of Google when suddenly this caught my eye:

Continue reading

Posted in Miscellanea | 1 Comment

Hello world!

On the 3rd of December 2010 I decided to start this blog. I am way too busy to update this on a regular basis however I plan to post here all the things that I find (interesting|smart|stupid) enough to share with the rest of the world.

Thanks for stopping by 🙂

Nick Nikiforakis

Posted in Uncategorized | 1 Comment