So, previously I wrote about breaking Chungta.vn’s captcha with Tesseract. At the end of the post I also mentioned about the pre-processing the image. And recently I found that they added some noisy lines over the text. This is the perfect time to talk about that part.

Disclaimer: I did contact and advised them to use a better captcha library or Google’s reCaptcha, I saw they use it a few times and then they just went back to this horrible captcha implement.

I just started my journey in information security for a while, my forensic skills is some what non-existent, so I’m pretty excited when I can solve a decent forensic problem in a CTF (that’s why I need to write about it right away).
So, I can solve some Web challenges, a plaintext IRC log extraction, and move myself up in the scoreboard a little. That’s when I tried to see the challenge other people around me were solving. And I think maybe I can solve this (it helps a lot since I thought about giving up several times, also a problem I need to fix myself). This is how a newbie solve the problem.

XSS on e.vnexpress.net

Recently I found two XSS vulnerabilities on vnExpress website. It all begins with the newly introduced English version of VnExpress, and I didn’t have to spend a lot of time to find the search box wasn’t escaped properly. Just do a search with “> will reveal this.

Pretty serious problem if anyone still doesn’t care about escaping user-input, especially on a search box. Luckily, a normal XSS payload will only works on Firefox, because Chrome and IE have XSS Auditor for a while now (you can still bypass it, which I will tell you later). Also because the site doesn’t have user account yet, the best I can do is launching a phishing attack (I jut did a PoC to demo what I can do, not really attack anyone).

The App

So recently Vietcombank released a Smart OTP app for Android (not so recently anymore since I’m holding up the post for a while). They seem to be the first bank to release a app-based OTP, so let’s take a look at how they did it.

I’m not an Android programmer by any mean, so it takes a while to be able to understand the code and to collect the tools, you may have better results if you are. And also I’m a terrible programmer, so just take my words with a grain of salt.

The Captcha

VNExpress, Chungta.vn, ngoisao.net, they’re all using a simple Captcha system to prevent bot voting/submit email. But unfortunately, the system is so easy, we can get around it in five minutes. (So, the voting poll, and all the competition based on voting in VNExpress is useless)

Recently, chungta.vn announced a new beta site with new design. Let’s take a look into it to know, if the internal is still the same.

Goodbye (any) traditional blogging system

I used Wordpress for like 8 years, wrote some plugins myself (some that I already published), eventually got tired of managing my own hosting, and switched to wordpress.com. Then Wordpress.com want 15 dollar a year just for custom domain feature, and I switched to Blogspot. I happily used Blogspot for a while, but even so, the experience is not that great. Some example:

• Bloated: there are so many features I don’t use, and the feature I use, I have to code it in manually.
• Editor: I hate the WYSIWYG editor, it’s bloated (again) with the non-standard tag, bbcode. It’s easy to break with my horrible Internet. And it doesn’t behave the way I want it to. I wanted to use Markdown, but write in Markdown, then convert to HTML and copy to the WYSIWYG editor, it’s not a pleasant way.
• Ugly Themes: It seems that no one want to use a minialist theme with Blogspot (or even Wordpress). I’m happy to remove away most features for a minimalistic approach, but to no avail. Every minimal templates/themes want to retain the most core-feature (which is not a bad thing). I’m a horrible designer, I know very little about CSS, so in the end, it’s still a problem I had to deal with.
• Bloated website: The website bundle with a lot of useless things: some stupid Google’s javascript that I don’t bother to read, Google+ js, some other Google’s one, then some Google+, a lot of default Blogspot CSS, jQuery, api.js, source code highlighting script…Every features I added, I had to add some javascript/library too.
• Always online: I used some offline clients, but the trust is: you will never know how your post display until you submit the post. Only to find some problem, and have to fire up the online editor. And the downtime, every person in the world tells me Google’s uptime is the best, but I occasionally find some problem with the editor, or the admin interface.

I can make myself a static website, I even had one before I use Wordpress (with a lot of marquee). I don’t write much anyway, but again I’m a horrible designer, the website would be ugly.

This year’s Stripe-CTF brings some interesting things to the table: Cryptocurrency. I’ve already known about cryptocurrency and Bitcoin in general, but it’s amazing how Bitcoin relates to Git.

The level is here: https://stripe-ctf.com/levels/1

Basically, like Bitcoin, you have to find a block, in this case is a git commit. The commit must have its hash lower than the target difficulty, specified in the file difficulty.txt. You will compete against a bot, and you have to find and submit a block/commit before it does.

Ở bài trước, các bạn đã biết thế nào là cryptocurrency nói chung, và cách hoạt động của nó. Tuy nhiên bài viết chỉ rờ đến một trong những điểm nổi nhất của hệ thống Bitcoin, nếu muốn tìm hiểu một cách chuyên sâu hơn 1 chút, thì Bitcoin hoạt động như thế nào?

Bài viết nhằm phân tích ý nghĩa và phương thích hoạt động của loại tiền mặt này. Trước tiên, nhắc lại một chút về Cryptocurrency

Nhân tiện một buổi họp công nghệ và bắt gặp 1 dòng chữ “Silk road bảo mật website như thế nào?”, mình phát hiện ra 1 điều là mọi người đọc báo và biết về Silk Road, chứ ko hề hiểu nó là cái gì. Và vì thế, lại 1 bài chém gió ra đời.

Vậy, câu hỏi đầu tiên, Silk Road là cái gì?

• Silk Road là một chợ đen hoạt động trên mạng Tor.

Đến đây đủ để giải đáp cho câu hỏi “Silk road bảo mật website như thế nào?”: câu trả lời là “Silk Road không hề bảo mật website”

Bitcoin không còn là mới, nó đã xuất hiện được vài năm nay. Nhưng chỉ trong thời gian gần đây nó mới bùng nổ thành một hình thức thanh toán cực kì tiện lợi.

Bitcoin là một cryptocurrency, để hiểu được một cách chính xác Bitcoin là gì cần một lượng kiến thức về software, crypto, network nhất định. Tuy nhiên chúng ta có thể tiếp cận Bitcoin để hiểu nó như một người sử dụng “có hiểu biết”.