Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 16, 2008 04:17AM

0X can bypass noscript xss protection:-
http://demo.phpids.org/?test=0X%20%26%20alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: January 16, 2008 07:57AM

it could (for very simple and likely innocuous vectors), but it cannot anymore ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 16, 2008 12:25PM

@ma1

Wow super fast fix! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: sirdarckcat
Date: June 16, 2008 04:02AM

Ah! hacking noscript?

thats easy..
http://trustedsite.com/?xss-inside-script-tag='%2Balert(document.cookie)+//a:1

for example.. (eBay has a XSS issue very similar to the one I'm describing (well, actually, a lot of sites, but eBay rocks))

<script>
var x='<?php echo $_GET['xss']?>';
</script>

But duuuude!! what's happening?

Well, NoScript thinks, that.. "+" is a plus.. but in reality.. "+" is a space, and so..

var x=''+alert(document.cookie) //a:';

is valid js code! (damn, I'm good, 10 minutes to hack NoScript :D)

Greetz!!

PS. It's a joke, noscript is great :P, and even do I did spent 10 minutes to find the issue, it was because I had this idea for attacking noscript since a couple of months ago, but I didnt tested it till today.


but WAIT!!
thats all?

The hell it isn't!! (anyway, this last attack is not so dangerous, since it requires user interaction [enabling javascript on an untrusted domain])

Let's take a look at NoScript's default anti-xss rules:
^http://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?

That means, well.. that:
http://images.google.com/search?asdfasdf=%3Cscript%3E&q=Asdf

Will bypass NoScript (because we all trust google =D), but.. wait.. that's for google domains exclusively right?

Well, wrong!! because, well.. 20 bux, we can get a 3 letter domain http://www.3character.com/recentsales.html

And so do:

http://www.google.xss.com/customcustom%3Fasdf%2F..%2F?some-host-not-checking-for-Host-headers=%3Cscript%3E

Pointing google.xss.com to your router or something.

There's an issue with this last attack.. NoScript does his job, and automatically denies google.xss.com.. anyway, enabling javascript in such domain (social engineering) would allow the attacker to send evil XSS attacks to your router/intranet what-ever.

Anyway, hacking noscript is fun :D

And in any case someone wondered..

http://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27

And yeah, that's not triggering noscript alarms :D

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/16/2008 04:12AM by sirdarckcat.

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: June 16, 2008 06:19AM

@sdc:
nice findings, thanks.
Fixes for both on their way :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: June 16, 2008 07:32AM

@sdc:

On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection.
But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: June 16, 2008 09:36AM

FIXED

Now that it's fixed, I'll explain my innuendo to Ebay's "scary and brainless" issue, which reminds me closely last month's Base64 Yahoo one.

Your PoC was

hxxp://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27

and it did not bypass NoScript. I guess you meant to write it in the "mixed plus" form, but this is not.

But here's the truly scary one:

http://search.ebay.com/ME-XSS-U_W0QQfromZQ27Q2balertQ28documentQ2ecookieQ29Q2bQ27

As you can see, ebay uses its own custom "Q-encoding", allowing XSS payloads virtually undetectable to any filter, except NoScript >= 1.6.9.2 ;)

IMPORTANT REQUEST (rules change)
Since as far as I can see NoScript now is actively used by more than 1.5 million users, it would be kind of you if new issues were responsibly disclosed to me before posting them there.
I guarantee to handle them the very same day I read your report and to publish a development build with proper credits, but since one week is probably the minimum user-bearable window for automatic updates on stable releases, a 7 days grace period would be nice as a compromise to avoid an excessively tight update schedule for stable version users.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: June 16, 2008 11:54AM

Not to forget PHPIDS 0.5 .936 ;)

Principally totally senseless but who knows who else uses this kind of encoding...

Options: ReplyQuote
Re: Hacking noscript
Posted by: sirdarckcat
Date: June 16, 2008 05:55PM

@ma1:
wait, you told me to report it here :S

Anyway:
Quote

@sdc:

On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection.
But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)
Ah that's true :P, I copypasted the wrong link hehe.

Adding the QEncoding to the IDSs is like fixing bugs for eBay, instead of them.. anyway :P

I'll mail-report any other issues.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.