Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

English is not the Internet's language

John Menerick

For those who think English or decimal is the only way to browse the Internet, you have another thing coming.   What we see below is Google filtering based on a specific string representation, ie match on thisdecimal.  So when we speak a different decimal representation, we bypass their filtering and the backend application understands our request.

 

For instance: Google hacking credit card numbers

4060000000000000..4060999999999999: Fail.

http://www.google.com/sorry/misc/?continue=http://www.google.com/search%3Fq%3D4060000000000000..4060999999999999%26oq%3D4060000000000000..4060999999999999%26aqs

 

0xe6c8c69c9c000..0xe6d753e6ecfff: Success

https://www.google.com/#q=0xe6c8c69c9c000..0xe6d753e6ecfff+dump  

 

See http://www.toptal.com/web/with-a-filter-bypass-credit-card-numbers-are-still-still-google-able and https://www.owasp.org/index.php/Category:Encoding for additional information.

LDAP Tool Box vulnerabilities

NodeJS #vulnerabilities - it hurts to look