OWASP Challenge 8: Construct a polyglot!

Re: OWASP Challenge 8: Construct a polyglot!

sirdarckcat — Wed, 24 Feb 2010 00:28:47 -0600

congrats dude :D

Re: OWASP Challenge 8: Construct a polyglot!

ManJIT — Mon, 22 Feb 2010 16:05:41 -0600

Hi all!

Long time no message. But the judges of the OWASP AppSec Research 2010 OC have decided to give first price to Thornmaker.

This really was a nice compo. And I will use the polyglot to demo stuff. With due credit of course.

Congratulations to winning a free ticket, Thornmaker. See you at the conference this summer!
http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden

Re: OWASP Challenge 8: Construct a polyglot!

thornmaker — Sat, 30 Jan 2010 10:47:05 -0600

i couldn't get a reference to document.body like i thought, so I've reverted back to XHR. but because it's also valid html, I can still use # as a reference to the file, so that lets me avoid hard coding a reference to the file. so this should still work on any server. I also just noticed that the rules for alerting the time in Sweden changed, so this one now gets it from the client --> http://p42.us/v.html

[edit]: @SW If I'm not mistaken, we should alert the source code now, rather then writing it to the page. I like you're quine method too.

[edit 2]: sdc pointed me towards document.documentElement which lets me access the source code with document.docuementElement.lastChild so this one uses that for the quine. I don't even know if these are valid for the contest, but they're fun still :) --> http://p42.us/w.html

Re: OWASP Challenge 8: Construct a polyglot!

thrill — Fri, 29 Jan 2010 22:59:48 -0600

if you all stop trying to log in as admin maybe you'd stop getting blocked. :)

PM id with your IP addresses, social security and bank account information, he'll unblock you on the firewall.. eventually..

[edit] P.S. thornmaker.. you worry me.. heh..

Re: OWASP Challenge 8: Construct a polyglot!

thornmaker — Fri, 29 Jan 2010 18:26:11 -0600

here's a fun triglot: HTML, JS, and a GIF... all in one. The HTML embeds itself as an image and as the src to a script tag. I haven't checked, but it should be a valid contest entry too.

http://p42.us/t.html

[edit]: okay, this actually uses the fact that it's html to do the quine part, without XHR. so it's not just a cute gimmick anymore :) http://p42.us/u.html

triglots ftw!

[edit 2]: okay, this is just too much fun: http://p42.us/x.html

I got rid of any references to the file name itself so it's more portable. the only external dependency now is the xhr to get the time. maybe one of the judges can just host this file somewhere (with the correct TZ adjustment):
print strftime('%c',time()+8*3600);
?>

btw, my home server is blocked from sla.ckers too. I don't know for how long since I normally ssh tunnel in anyhow.

Re: OWASP Challenge 8: Construct a polyglot!

SW — Fri, 29 Jan 2010 11:58:42 -0600

Thanx for clarification even though it means re-doing it again!

Here you have your choice:

Browser compatible version that doesn't show all the binary:
http://discogscounter.getfreehosting.co.uk/owaspc8.html [6096b]

FF only version that alerts full source:
http://discogscounter.getfreehosting.co.uk/owaspc8ff-al.html [6138b]
(source a bit too long for the alert box)

FF only version that writes full source:
http://discogscounter.getfreehosting.co.uk/owaspc8ff-wr.html [6142b]

XHR for the quine requirement I don't think is helpful, because if the image is hosted on a different domain it won't work.

It will be interesting if there is a cross-browser solution.

Re: OWASP Challenge 8: Construct a polyglot!

Gareth Heyes — Fri, 29 Jan 2010 10:36:32 -0600

Yeah seems quite fun if not my cup of tea. Any has anyone thought about using :-

data:image/gif, ?

Then using alert(location) to obtain the source code, just a thought :D

Re: OWASP Challenge 8: Construct a polyglot!

sirdarckcat — Fri, 29 Jan 2010 10:29:55 -0600

naaaaaaaaaah its ok.. I regret my comment the chall is quite fun! even if Im not participating, I just thing that it's interesting.. at least the quine part!

Re: OWASP Challenge 8: Construct a polyglot!

holiman — Fri, 29 Jan 2010 09:45:39 -0600

@sirdarckat : very good question. When that particular challenge-item was written, nobody really considered the domain aspects of xhr. Therefore, we are now changing that rule to better suit the overall objective of getting a polyglot that is less context-depending.

To all: Our sincere apologies for having fuzzy rules and also changing the rules in the middle of the race! Hope you bear with us... Again, sorry about all this hassle.

Re: OWASP Challenge 8: Construct a polyglot!

sirdarckcat — Fri, 29 Jan 2010 03:59:01 -0600

> the javascript should get the time from the client machine

> alert(the result from an ajax request that fetches the current time in Stockholm, once every minute);

what's the ajax request for?

Re: OWASP Challenge 8: Construct a polyglot!

holiman — Fri, 29 Jan 2010 03:28:02 -0600

Regarding time-issue, after some input from John, we decided that the solution should not be tied to any particular server (since it should be able to be used in any context as a showcase). So, the javascript should get the time from the client machine and calculate stockholm time from that (best-effort).

Sorry about all the confusion about the rules!

Re: OWASP Challenge 8: Construct a polyglot!

holiman — Fri, 29 Jan 2010 02:02:22 -0600

> can you clarify whether xhr is allowed to fulfill the quine requirement?

Yes, xhr is allowed!

>For the time in Sweden part, which is preferred: hard-coding a server into the GIF so the image itself is more portable... or... not hard-coding any domain so that the image assumes the present server will have the time in some manner? The second option seems less reliable since hosting server may not have the time in the expected format, for example.

I'll get back to you on that one... Need to confer...

>If all source is put into 1 function, then write("GIF89a:;"+me+"me();") will write all unless you want the image data that's been commented out included as "source code"?

We do. Putting everything into one function would make the quine-part trivial, but we want to see *all* data that we would see if we opened the .gif in an editor. So I suspect that the trivial approach is very tricky :) (I would not dare to say it was impossible, I have been surprised here before)

Re: OWASP Challenge 8: Construct a polyglot!

sirdarckcat — Thu, 28 Jan 2010 20:03:39 -0600

> unless you want the image data that's been commented out
I think he said so:
> We want the whole source and nothing but the source (i.e : including GIF-data).

lol, I was mistaken.. this challenge is fun

Re: OWASP Challenge 8: Construct a polyglot!

SW — Thu, 28 Jan 2010 12:46:24 -0600

holiman Wrote:
-------------------------------------------------------
> Sorry we haven't answered the questions earlier, I
> have some problems connecting to *.ckers.org from
> home (for some reason, I need to tunnel somewhere
> else and connect from there - perhaps my isp is
> blocking it) .

Me too. O_o

> 4 is obtaining own source through other js calls allowed? (ie. function me(){document.write(me); ...)}
> Yes. However, the original idea with the quine was to display *all* code, not just one function. To clarify : We want the whole source and nothing but the source (i.e : including GIF-data).

If all source is put into 1 function, then write("GIF89a:;"+me+"me();") will write all unless you want the image data that's been commented out included as "source code"?

Re: OWASP Challenge 8: Construct a polyglot!

thornmaker — Thu, 28 Jan 2010 10:27:07 -0600

can you clarify whether xhr is allowed to fulfill the quine requirement?

For the time in Sweden part, which is preferred: hard-coding a server into the GIF so the image itself is more portable... or... not hard-coding any domain so that the image assumes the present server will have the time in some manner? The second option seems less reliable since hosting server may not have the time in the expected format, for example.

Will "points" be awarded for implementing features not mentioned in the original rules?

Re: OWASP Challenge 8: Construct a polyglot!

holiman — Thu, 28 Jan 2010 09:23:02 -0600

I validated both your latest submissions, the colours passed the test. You both got the size down quite a bit!

Re: OWASP Challenge 8: Construct a polyglot!

holiman — Thu, 28 Jan 2010 09:13:20 -0600

Sorry we haven't answered the questions earlier, I have some problems connecting to *.ckers.org from home (for some reason, I need to tunnel somewhere else and connect from there - perhaps my isp is blocking it) .

1. Should the JS execute in multiple browsers?
FF is the target. We will only validate that it works on FF, but bonus points if the solution is poly-browser.

2. Is it okay for the JS to be fixed to a particular server? If not, it will be hard to get the time in sweden from a serve that doesn't allow cross-domain xhr
That is okay. But again, if anyone comes up with a solution that works wiithout it- that is better.

3. binary content does not display in HTML well and will not render certain parts of the data. is this okay?
Not until now did I realise something I should have understood a while ago... Instead of displaying the data and binary on page, it is preferrable to show it in an alert. That explains my earlier comment about how I didn't see the quine by SW. Sorry, my bad.

4 is obtaining own source through other js calls allowed? (ie. function me(){document.write(me); ...)}
Yes. However, the original idea with the quine was to display *all* code, not just one function. To clarify : We want the whole source and nothing but the source (i.e : including GIF-data).

5 is using eval allowed?
Yes.

You guys rock!

Re: OWASP Challenge 8: Construct a polyglot!

SW — Thu, 28 Jan 2010 00:29:23 -0600

Here is mine new one.

Demo:
http://discogscounter.getfreehosting.co.uk/polyglot.html

Image:
http://discogscounter.getfreehosting.co.uk/owaspc8sw.gif

Sized: 6106 bytes :P

Notes:
- Runs & displays on IE(7) and FF(3.5).
- Doesn't exactly display source code (omits the value of unused string of binary).
- Uses eval to display source, not sure if it's allowed.

Re: OWASP Challenge 8: Construct a polyglot!

thornmaker — Wed, 27 Jan 2010 22:50:32 -0600

http://p42.us/ch8sub3.html