Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
OWASP Challenge 8: Construct a polyglot!
Posted by: ManJIT
Date: January 21, 2010 05:42AM

This is the official thread for OWASP AppSec Research Challenge 8 where you're supposed to consturuct an OWASP polyglot -- a gif image that can also be run as JavaScript!

Show image: <img src="owasp_logo.gif">
Run script: <script src="owasp_logo.gif"></script>

Rules and howtos here: http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges

Post your challenge polyglots as images in this thread. And have fun!

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: Gareth Heyes
Date: January 21, 2010 06:11AM

Where's the challenge if it's already been done?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 21, 2010 08:15AM

hmm actually.. it is a bit complicated

1.- it should not grow in size (we can't put out payload at the end).
2.- it should not modify the image by more than 4 pixels

sadly, they give a link to a doc that explains how to do it, so.. this is only a race of who codes faster.. lol

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: ManJIT
Date: January 21, 2010 09:15AM

We can take away the link but now you guys have seen it :).

We just thought it would seem too hard if we didn't provide som guidance.

Another cool thing with this challenge is that this polyglot will be a really cool showcase for talks on input validation and XSS. Your users are allowed to upload gif images but not JavaScript. Then someone uploads a polyglot ...

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: ManJIT
Date: January 21, 2010 09:18AM

... and the first Google hit you get for "polyglot gif" is Jasvir's blogpost.

... and the second link in his blogpost points to the howto article.

So no harm done IMHO.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 21, 2010 10:11AM

My meaning (and I think Gareth's too) was.. letting us do something new would have been more fun.. we can manage to go around almost anything.. the JS GREAT WALL was the only one that has stopped us (so far..).

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: Gareth Heyes
Date: January 21, 2010 10:11AM

Personally I'm only interested in challenge that involves imagination, if there's a set conclusion and part of it has already been solved then there's no fun in it for me. Obviously though I don't want to spoil anyone's fun and you don't have to agree with me, I'll look out for the next challenge though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: Anonymous User
Date: January 21, 2010 11:48AM

For some inspiration on how to not have it grow check this file I created for the last years Confidence talk: http://0x.lv/xss.gif

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 21, 2010 01:33PM

@Gareth: I wouldn't call it solved. It is a multistep challenge, one of which is to create a quine, and meet the size constraints.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 21, 2010 07:53PM

the challenge is to make the smallest code that does a lot of payloads?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: ManJIT
Date: January 22, 2010 04:42PM

@sirdarckcat
More or less. But we didn't want to focus the rules to hard on file size since that would just make it into a gif compression challenge.

So, we give you a list of increasingly complex payloads to squeeze into the gif without it _growing_ in size. If your gif is smaller than everyone else's, or if you manage to fit in even more JavaScript features in it -- well, I'm impressed!

I really think that who ever solves this one will get a lot of credit since people will be using the gif as a showcase of potential filter evasion and how hard input validation really can be. At least I will :))!



Edited 1 time(s). Last edit at 01/22/2010 04:43PM by ManJIT.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: rvdh
Date: January 23, 2010 04:23PM

It can't.

If it's supposed to run as an external javascript too, editing the gif with a hex-editor means that you must comment out the GIF89a header because they contain illegal characters for javascript that is included through script. if you are to write all the gif data byte for byte by javascript then it doesn't work as an image.

Edit: Never mind I just read the post @ http://www.thinkfu.com/blog/gifjavascript-polyglots That's pretty smart to set the GIF98a header as a JS variable. I'm a bit stunned that it actually works.



Edited 1 time(s). Last edit at 01/23/2010 04:38PM by rvdh.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 25, 2010 09:44PM

What do you mean not growing..........?

That you can't increase the logical screen size (seems impossible), or you have to compress the image data to save enough bytes to type up all your JS in?

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 26, 2010 12:04AM

size in bytes I think, this one:

http://www.thinkfu.com/images/thinkfu-js.gif

is quite big..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 26, 2010 03:14AM

Demo on my l33t website:
http://discogscounter.getfreehosting.co.uk/blarg.html

It doesn't follow the color rules and is bloated, I just made it as an excuse to learn some things I didn't know before. :)



Edited 1 time(s). Last edit at 01/26/2010 03:19AM by SW.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 26, 2010 05:52AM

@SW : Yes, we are talking about byte size : one restriction is to *not* bloat the file. And, the logical size of the gif image must be preserved. Nice first shot! I see alerts showing time- but the filename indicates quines also. Is that implemented?

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 26, 2010 10:00AM

This is what I see with FF3.5, is it correct? Or iss it supposed to print out all the image data that's commented (currently represented by /*huge crap*/)?
http://img27.imageshack.us/img27/402/blarggg.jpg

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 26, 2010 05:12PM

http://p42.us/ch8.html

Unless I messed up along the way (mapped a pixel incorrectly, flipped the wrong bit in the lzw compressed data, etc), this should meet all the requirements for the contest. No pixel should be more than "5" away from the original using the rgb metric specified in the rules. The file size did not grow (shrunk to 6768 bytes). Meeting these two requirements simultaneously is really the main difficulty. Once you've got that figured out, turning it into a quine, and doing the other JS requirements is really easy. I'm sure the JS can be shrunk down a few more bytes so someone can easily take this and get it smaller... but whatever.

I might update the file on my server, so here's a copy of the original one I'm submitting: .

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 26, 2010 08:25PM

awesome thornmaker :)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 27, 2010 05:42AM

thornmaker,
I see you query your own source code for displaying... that's typically not allowed for a quine.?

Yea the image optimization is a bit tricky. I couldn't find ANY useful tools so I just had to write a program to calculate it. Image now is ~5.6kB without code.

Before working on the code again, I figured I should make a comparer to test if my algorithm (and human entry) worked right. I guess I have (at least) 1 error to locate. I also ran it on yours for curiosity and see you may have a few errors too (if my prog works right! not official!).http://pastebin.com/m4797cab3 I guess you can fix it based on that, yw. ;)

As for all these 255 lines, I guess the original picture used black for the transparent background. Is it important we maintain this?



Edited 3 time(s). Last edit at 01/27/2010 06:01AM by SW.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 27, 2010 09:01AM

Yeah, I wrote a compare program last night too and noticed a few colors were incorrectly mapped. I'll fix it up soon

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 27, 2010 10:41AM

http://p42.us/ch8sub2.html <-- This fixes the errors in my previous submission and passes my color-distance validator. File size is 6714. I'll redo the quine method, if the judges say xhr is not allowed.

Image is

[edit:] a couple of other things the judges could clarify:

1. Should the JS execute in multiple browsers?

2. Is it okay for the JS to be fixed to a particular server? If not, it will be hard to get the time in sweden from a serve that doesn't allow cross-domain xhr

3. binary content does not display in HTML well and will not render certain parts of the data. is this okay?



Edited 1 time(s). Last edit at 01/27/2010 10:58AM by thornmaker.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 27, 2010 08:45PM

Good questions.

Just to add for the quine:
- is obtaining own source through other js calls allowed? (ie. function me(){document.write(me); ...)}
- is using eval allowed?

For the time I guess we can assume it's hosted on OWASP server which sends the right time?

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 27, 2010 10:50PM

http://p42.us/ch8sub3.html <!--- same as before, but optimized the GIF image size some and trimmed down the JS code a bit too. File size is now 6474 bytes.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 28, 2010 12:29AM

Here is mine new one.

Demo:
http://discogscounter.getfreehosting.co.uk/polyglot.html

Image:
http://discogscounter.getfreehosting.co.uk/owaspc8sw.gif

Sized: 6106 bytes :P

Notes:
- Runs & displays on IE(7) and FF(3.5).
- Doesn't exactly display source code (omits the value of unused string of binary).
- Uses eval to display source, not sure if it's allowed.



Edited 5 time(s). Last edit at 01/28/2010 04:42AM by SW.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 28, 2010 09:13AM

Sorry we haven't answered the questions earlier, I have some problems connecting to *.ckers.org from home (for some reason, I need to tunnel somewhere else and connect from there - perhaps my isp is blocking it) .

1. Should the JS execute in multiple browsers?
FF is the target. We will only validate that it works on FF, but bonus points if the solution is poly-browser.

2. Is it okay for the JS to be fixed to a particular server? If not, it will be hard to get the time in sweden from a serve that doesn't allow cross-domain xhr
That is okay. But again, if anyone comes up with a solution that works wiithout it- that is better.

3. binary content does not display in HTML well and will not render certain parts of the data. is this okay?
Not until now did I realise something I should have understood a while ago... Instead of displaying the data and binary on page, it is preferrable to show it in an alert. That explains my earlier comment about how I didn't see the quine by SW. Sorry, my bad.

4 is obtaining own source through other js calls allowed? (ie. function me(){document.write(me); ...)}
Yes. However, the original idea with the quine was to display *all* code, not just one function. To clarify : We want the whole source and nothing but the source (i.e : including GIF-data).

5 is using eval allowed?
Yes.

You guys rock!

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 28, 2010 09:23AM

I validated both your latest submissions, the colours passed the test. You both got the size down quite a bit!

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 28, 2010 10:27AM

can you clarify whether xhr is allowed to fulfill the quine requirement?

For the time in Sweden part, which is preferred: hard-coding a server into the GIF so the image itself is more portable... or... not hard-coding any domain so that the image assumes the present server will have the time in some manner? The second option seems less reliable since hosting server may not have the time in the expected format, for example.

Will "points" be awarded for implementing features not mentioned in the original rules?

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 28, 2010 12:46PM

holiman Wrote:
-------------------------------------------------------
> Sorry we haven't answered the questions earlier, I
> have some problems connecting to *.ckers.org from
> home (for some reason, I need to tunnel somewhere
> else and connect from there - perhaps my isp is
> blocking it) .

Me too. O_o


> 4 is obtaining own source through other js calls allowed? (ie. function me(){document.write(me); ...)}
> Yes. However, the original idea with the quine was to display *all* code, not just one function. To clarify : We want the whole source and nothing but the source (i.e : including GIF-data).

If all source is put into 1 function, then write("GIF89a:;"+me+"me();") will write all unless you want the image data that's been commented out included as "source code"?

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 28, 2010 08:03PM

> unless you want the image data that's been commented out
I think he said so:
> We want the whole source and nothing but the source (i.e : including GIF-data).

lol, I was mistaken.. this challenge is fun

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.