Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 29, 2010 02:02AM

> can you clarify whether xhr is allowed to fulfill the quine requirement?

Yes, xhr is allowed!

>For the time in Sweden part, which is preferred: hard-coding a server into the GIF so the image itself is more portable... or... not hard-coding any domain so that the image assumes the present server will have the time in some manner? The second option seems less reliable since hosting server may not have the time in the expected format, for example.

I'll get back to you on that one... Need to confer...


>If all source is put into 1 function, then write("GIF89a:;"+me+"me();") will write all unless you want the image data that's been commented out included as "source code"?

We do. Putting everything into one function would make the quine-part trivial, but we want to see *all* data that we would see if we opened the .gif in an editor. So I suspect that the trivial approach is very tricky :) (I would not dare to say it was impossible, I have been surprised here before)

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 29, 2010 03:28AM

Regarding time-issue, after some input from John, we decided that the solution should not be tied to any particular server (since it should be able to be used in any context as a showcase). So, the javascript should get the time from the client machine and calculate stockholm time from that (best-effort).

Sorry about all the confusion about the rules!

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 29, 2010 03:59AM

> the javascript should get the time from the client machine

> alert(the result from an ajax request that fetches the current time in Stockholm, once every minute);

what's the ajax request for?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: holiman
Date: January 29, 2010 09:45AM

@sirdarckat : very good question. When that particular challenge-item was written, nobody really considered the domain aspects of xhr. Therefore, we are now changing that rule to better suit the overall objective of getting a polyglot that is less context-depending.

To all: Our sincere apologies for having fuzzy rules and also changing the rules in the middle of the race! Hope you bear with us... Again, sorry about all this hassle.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: January 29, 2010 10:29AM

naaaaaaaaaah its ok.. I regret my comment the chall is quite fun! even if Im not participating, I just thing that it's interesting.. at least the quine part!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: Gareth Heyes
Date: January 29, 2010 10:36AM

Yeah seems quite fun if not my cup of tea. Any has anyone thought about using :-

data:image/gif, ?

Then using alert(location) to obtain the source code, just a thought :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: SW
Date: January 29, 2010 11:58AM

Thanx for clarification even though it means re-doing it again!

Here you have your choice:

Browser compatible version that doesn't show all the binary:
http://discogscounter.getfreehosting.co.uk/owaspc8.html [6096b]

FF only version that alerts full source:
http://discogscounter.getfreehosting.co.uk/owaspc8ff-al.html [6138b]
(source a bit too long for the alert box)

FF only version that writes full source:
http://discogscounter.getfreehosting.co.uk/owaspc8ff-wr.html [6142b]

XHR for the quine requirement I don't think is helpful, because if the image is hosted on a different domain it won't work.

It will be interesting if there is a cross-browser solution.



Edited 3 time(s). Last edit at 01/29/2010 01:27PM by SW.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 29, 2010 06:26PM

here's a fun triglot: HTML, JS, and a GIF... all in one. The HTML embeds itself as an image and as the src to a script tag. I haven't checked, but it should be a valid contest entry too.

http://p42.us/t.html

[edit]: okay, this actually uses the fact that it's html to do the quine part, without XHR. so it's not just a cute gimmick anymore :) http://p42.us/u.html


triglots ftw!

[edit 2]: okay, this is just too much fun: http://p42.us/x.html

I got rid of any references to the file name itself so it's more portable. the only external dependency now is the xhr to get the time. maybe one of the judges can just host this file somewhere (with the correct TZ adjustment):
<?php
print strftime('%c',time()+8*3600);
?>


btw, my home server is blocked from sla.ckers too. I don't know for how long since I normally ssh tunnel in anyhow.



Edited 4 time(s). Last edit at 01/30/2010 09:35AM by thornmaker.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thrill
Date: January 29, 2010 10:59PM

if you all stop trying to log in as admin maybe you'd stop getting blocked. :)

PM id with your IP addresses, social security and bank account information, he'll unblock you on the firewall.. eventually..

[edit] P.S. thornmaker.. you worry me.. heh..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 01/29/2010 11:00PM by thrill.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: thornmaker
Date: January 30, 2010 10:47AM

i couldn't get a reference to document.body like i thought, so I've reverted back to XHR. but because it's also valid html, I can still use # as a reference to the file, so that lets me avoid hard coding a reference to the file. so this should still work on any server. I also just noticed that the rules for alerting the time in Sweden changed, so this one now gets it from the client --> http://p42.us/v.html

[edit]: @SW If I'm not mistaken, we should alert the source code now, rather then writing it to the page. I like you're quine method too.

[edit 2]: sdc pointed me towards document.documentElement which lets me access the source code with document.docuementElement.lastChild so this one uses that for the quine. I don't even know if these are valid for the contest, but they're fun still :) --> http://p42.us/w.html



Edited 5 time(s). Last edit at 01/31/2010 05:01PM by thornmaker.

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: ManJIT
Date: February 22, 2010 04:05PM

Hi all!

Long time no message. But the judges of the OWASP AppSec Research 2010 OC have decided to give first price to Thornmaker.

This really was a nice compo. And I will use the polyglot to demo stuff. With due credit of course.

Congratulations to winning a free ticket, Thornmaker. See you at the conference this summer!
http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden

Options: ReplyQuote
Re: OWASP Challenge 8: Construct a polyglot!
Posted by: sirdarckcat
Date: February 24, 2010 12:28AM

congrats dude :D

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.