Persistent XSS VS Sql Injections

Posted on January 20, 2021January 20, 2021Categories UncategorizedTags , , , , ,

What Is Persistent XSS?

Persistent XSS, also known as persistent cross site scripting is a way to inject code into a sites database. The way this occurs is due to areas in the code, called parameters that don’t do proper security checks that communicate with the database.

You might be thinking that this sounds a lot like sql injection, and while there are similarites, there are also differences. We have one awesome example of persistent XSS art by a grey hat hacker we interviewed. He demonstrated how he put pages onto a site allowing file uploads among other things, that wasn’t his. XSS can be a method to deliver malicious code into a site, or for non-malicious purposes creating harmless pop ups.

What is the difference between sql injection and Persistent XSS?

Sql injections use the SQL language and XSS generally uses javascript. That’s one main difference. Persistent XSS can get saved to a database or stored in a file, the effects of these two differ slightly. SQL injections target the data stored in the database, usually in an attempt to steal, alter or modify that data.

Persistent XSS can end up stored in a database adding code, but the use cases are different. XSS can add malware onto your device or trick you into submitting data through a form, among other things. SQL injections as detailed above are more focused on stealing straight from the database.

Roblox Malware Bypasses Parental Controls

Posted on January 13, 2021January 25, 2021Categories UncategorizedTags , , , , , , , ,

Roblox is a game platform where anyone can make a game and interact with others. Roblox simplifies this process in their game creation software called Roblox Studio. Once you load Roblox Studio you go to view and choose toolbox to get to the models. These model creations in the toolbox can be shared and re-used in as many games as possible. This makes the issue wide-spread effecting countless games.

Roblox toolbox holiday models some infected with malware
Some of these models have malware

These models can be anything from Santa’s house to a zombie running around. Unfortunately, malware thrives on the roblox platform. We were made aware of the issue by Audrey Ortiz-Parrott, a 10 year old, who was trying to make safe games. We looked into the issue, we dived into a world of beautiful, fun malware you can play with as a character in Roblox games.

Is It Roblox malware that disabled safe chat?

Most are unaware of what we call Roblox malware, but they do know some games let them do actions they aren’t supposed to do. One feature is built by Roblox for parents who have children under 13 so they don’t talk to people in chat. A semi-popular piece of Roblox malware put in models bypasses that by disabling the parental safe chat, it then puts the player into guest chat mode. This occurs without them or their parents permission. This means strangers can talk to your kids in infected games. The name of that malware is Guest free chat script, Guest Talking Script, and Guest_Talking_Script.

We try to make things as easy to understand for people who aren’t security researchers. We settled on the word malware for this issue. Is this malware? Technically this would be called a logic bug in Roblox, but the design was prime for malicious uses.

Malware turns off parental safe chat, let's minors to talk to anyone, including adults.
One of the popular variants that bypasses roblox parental controls

Roblox could easily take care of this issue by writing a few lines of code and wiping out the majority of malware on their platform. This is possible due to the majority of the malware has the same name and same exact code in every model. This occurs, because It is shared with others who rarely modify it.

Sexual messages Malware

We are concerned about malware that injects sexual messages into chat. It says a roblox user called AmazingOmegaJames is the best person to contact for a good sexual time. His username AmazingOmegaJames is also the same name you will find his malicious script under. Unfortunately, it is in so many infected roblox models games, deleting one script won’t stop it. Deleting all the malicious scripts at once is simple to do for Roblox. It’s also worth noting that there are variants of this malware as well. This is disturbing to say the least.

After a request for comment from a reporter, all the malware we originally listed was purged. Unfortunately, the sexual messages have returned under a new name. Roblox could setup a program to automatically delete this code even when the file name changes. This is not hard to do.

Sexual messages in roblox
Roblox sexual messages added into chat by the games script.

There is a lot of other malware on Roblox, which is why we contacted them. we told them we’d like a comment, which we’ve yet to receive.

If you are a parent and this makes you concerned, you have a right to be. The good news is that this malicious code only impacts the player while they are in the current game. Once they leave the infected game, the malware stops, until they go to another game with malware.

Is this actually malware? Technically it is code unknowingly and unwittingly put into games by the game creators that abuses the chat platform, again that could be used in a malicious way. We don’t like to split hairs over names, as we want people to know about the problem in an easy to digest format. We’ve been made aware that some may like to know the technical specifics.

Chat messages from non-existent Roblox Player

The H4XX :3 malware also known as I’m getting TIRR3D sends chat messages that you frequently see in many Roblox games. These messages range from mean to violating the terms of service. The reasons you see these mean comments a lot is because of the script h4xx :3.

The malware will cause chat messages to pop up saying among other things “Hiyas! I’m a proud member of an awesome game called roblox! Wanna join it? Haha.” It has a myriad of other responses, including one that bypasses the swearing filter, to others that are just annoying. The reason we consider this malware is because it antagonizes users from a non-existent user, so they can’t be banned. Technically it is just code that abuses the platform.

Roblox malware H4XX :3 also known as I'm getting TIRR3D
More Roblox chat malware

List Of Roblox Malware

Other roblox malware that while disturbing, we have yet to write up about are listed below.

ROFL, 4D Being, Anti-Lag, Infected, Snap Reducer, Spreadify, Kill tem!, join teh moovment!”, Wormed, Trashed, asdf, J0HNSCRIPT, ROLF,kill tem, Anti-Lag2, Antivirus, Lolzorz,soz i herd u lik mudkipz,Nice little scripty, flamespread, spread, spreader. and Harmless little scripty. Some have attempted anti-viruses for roblox but none work.

We hope Roblox takes notice of this issue and starts doing something about their rampant malware issue impacting the safety of children. A few days after we wrote this there was a big purge onfmalware from the roblox site. All the malware we listed has been removed from known infected models when added to a new game. This doesn’t mean everything is malware free, some scripts like vaccine a variant of spreadify still exist.

Cyber Security Awareness Month

Posted on October 11, 2020January 20, 2021Categories UncategorizedTags , , , , , ,

What is Cyber Security Awareness Month?

For most people, October is the month of ghosts and goblins, but for the last 17 years, October is also Cyber Security Awareness Month in the USA.

Now in its 17th year, Cyber Security Month builds on the momentum initiated jointly by National Security Agency (NCSA)  and the Cyber Security Infrastructure Agency (CISA), and now cyber security month reaches more than 1.5 million members and over 1,000 organizations across the country.

Cyber Security Awareness Month is extremely useful to try and educate people world-wide about how to protect themselves online.

NCSA helps to promote understanding and awareness during Cyber Security Month through brochures, websites, seminars and programming. . Sources: 9, 14, 15

Throughout October, you will have the opportunity to obtain a variety of resources that will help you better understand the importance of cybersecurity and the simple steps you can take to protect your own business, your family and your business.

Is Cybersecurity awareness month Only for Government Agencies?

There are many successful public-private partnerships that are so important for cybersecurity. GGA provides free educational resources and services to raise awareness of the importance of cybersecurity and ensure that the public has the opportunity to be safer and safer online. The overall aim of these events is to demonstrate the value of building a smart cyber workforce and to help people strengthen their own security awareness by making them enjoy themselves. Sources: 4, 10, 13

Canada joined the United States in celebrating Cyber Security Awareness Month in October. The aim is to raise awareness of cyber security threats, promote cybersecurity among citizens and organizations and provide resources to protect the Internet through education and exchange of best practices.

In October, participating groups launched a campaign to raise awareness of online security as part of their ongoing efforts to promote identity protection and combat cyber threats. Sources: 16

National Cybersecurity Awareness Month aims to raise awareness and accountability for information security. Led by the US Department of Homeland Security and the National Cyber Security Alliance (NCSA), Cyber Security Awareness Month provides an opportunity to ensure that everyone has the resources they need to stay safe online. The initiative will be implemented from 1 October to 31 October 2017 in partnership with the US Government Accountability Office (GAO). In October, the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF), and other organizations launched a campaign to provide information, tips, and tools to educate the public about the importance of cybersecurity and combat cyber threats. Sources: 2, 5, 7, 14

What Is WebP & How It Could Make You Money In 2021

Posted on September 11, 2020September 11, 2020Categories UncategorizedTags , , ,

WebP is the latest and greatest image format, simply meaning it makes your image look awesome while making your image as small as possible, so people who have slow internet will see your site load quickly.

WebP will play a significant role in SEO come 2021 with the release of Lighthouse 6 also known as web core vitals, which we covered what that is and why you should be acting now extensively.

The reason webp will play such a significant role is because it can turn an 18 megabyte image into half a megabyte without losing the quality of the image, which is absolutely astonishing.

Core Vitals version 6 will be part of Google’s search algorithm in 2021 and the main focus is on the speed your site loads, so naturally you want to use the fastest images available, which is webp. There are a ton of webp converters available right now for free.

This article will continue to develop and expand on this topic for awhile, please subscribe if you want to get updates on it.

Google Dork queries aren’t Hacking, But Exposes Your Data!

Posted on September 6, 2020January 20, 2021Categories Uncategorized

1.0 What is a Google Dork query?

1.1 Google Dorks Can Be Used For Evil

1.2 What is Google Cache?

1.3 How Do Google Dorks Find exposed data on my site if they don’t know about my site?

What is a Google Dork query?

Google dork queries isn’t a way to hack, it is a way to refine a google search query. These queries are features most people forgot exist in Google Search, that let you optimize your results. Say you want to know about the story man in the moon, but don’t want to get the results for man on the moon. Then you would simply write your search as intext:”man in the moon” -intext:”man on the moon” – intext:”men on the moon” . I know some could say you can simplify that search by removing the intext, but what you’re looking for is in the text, so that google search parameter, also known as a google dork is best in this situation. Now you will only get results for man in the moon.

Google Dork queries Can Be Used For Evil!

Google dorks can be used for evil, which is why you need to protect your customers data. We’ve heard all sorts of reasons why companies won’t secure areas “there is no link to that section” “no one will look for that on our site”, but none of those things matter or are true. Google can find links that aren’t linked to, if it is searching a site granted it is harder, but they still succeed to do so.

This can expose your customers information, like say your customer has a bunch of sql files where all their customers data is exposed, do you think that will show up in search? Odds are if you know what to type in it will appear, which can expose your customers data, but not everyone using this ability is using it for evil, some of us are trying to use it to inform companies about the issue.

Let’s say a site has no search bar, go to Google and type in site:example.com “example” this would bring up a page on example.com with the words example. You can search by site:.gov even by file type using the Google dork filetype: . I don’t have to give your imagination much to work with, because filetype, you’re usually able to obtain some, if not all of the sites data, though it is a lot better than it was in 2012.

How do Google Dorks Use Google Cache?

While we don’t want to dive in to great specifics, even Google themselves published the most useful dork of them all cache: now, what is Google cache? Google cache is a saved copy of what is on that site, so if you don’t want to visit that site going to the google cache version of the site is great. If you don’t want the site to know you visited it, alter the google cache link to turn off javascript. This will help prevent the site knowing you viewed it in Google Cache.

How Do Google Dork Queries Find Vulnerable info on my site if you don’t know about my site?

This is a pretty logical question that people think is fact “If you don’t know about my site, you can’t find the exposed info on my site, I am a small company”, unfortunately that logic is flawed. As shown above in our man in the moon search, we didn’t specify a site, we simply searched google and filtered out man on the moon results. We also discussed other things like being able to search by .com, .gov, etc. using site and of course you can use filetype: to look up any filetype you want. So, you don’t need to specify a site to find out what is on that site, which makes protecting your customers data even more important.

We are great at this and if you need any help, feel free to contact us or hire our cyber-security experts to help secure your site for you.