Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 27 of 31
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: Gareth Heyes
Date: August 01, 2009 05:13AM

IE only

[demo.php-ids.org]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 08/01/2009 05:14AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: lightos
Date: August 03, 2009 07:34AM

1' and 0x1abc like 0x88 or '1
1' and 0x1abc like 0x88 or '0

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: Anonymous User
Date: August 08, 2009 01:29PM

Thx guys! Fixes will be done coming Wednesday - I will be back @home Tuesday night.

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: Gareth Heyes
Date: August 11, 2009 07:49AM

Got it before Mario can fix it (IE only click the links):-
vbs:MsgBox-1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
philip_clarke php-ids threads
Posted by: sirdarckcat
Date: September 08, 2009 12:55AM

:)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
i
Posted by: Anonymous User
Date: September 05, 2009 09:43PM

z



Edited 3 time(s). Last edit at 10/16/2009 02:10AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: ma1
Date: September 06, 2009 04:29AM

philip_clarke Wrote:
-------------------------------------------------------
> To be effective against this type of vector,
> PHP-IDS etc.. now needs to take into account all
> of the libraries methods and constructs such as
> jQuery, mootools etc...

Not necessarily...
Did you try to use that vector cross-site with NoScript installed?
e.g. http://noscript.net/?p='%27%2CjQuery%28%22.fred%22%29.html%28%2F%40thrill+you+have+community+work+to+do%2F%2B%2F+%26+%40sirdarckcat+I+would+not+stoop%2F%29%3B%27a ?
:)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
s
Posted by: Anonymous User
Date: September 06, 2009 04:46AM

we



Edited 2 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: sirdarckcat
Date: September 06, 2009 07:22AM

> if you are going to attempt to show off sirdarckcat you may want to use a vector that passes through php-ids

lol, that's possible, but I'm not in the mood to bypass those.. I will now declare that I have an imaginary potential (and copyrighted under imaginary laws) bypass and I can also make it evade noscript (in what you failed.).

The fact that I can find such bypass (even if I havent) can be confirmed by .mario & ma1, (I dont even need to find it, they trust I can).

Anyway, I congratulate you for finding a bypass on PHPIDS, hopefully you can reduce those 3 hours for the next time, since thats way too slow.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
d
Posted by: Anonymous User
Date: September 06, 2009 07:44AM

f



Edited 2 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: sirdarckcat
Date: September 06, 2009 08:11AM

Quote

... , admit that I have found a ...
I dont like to repeat myself..
Quote

Anyway, I congratulate you for finding a bypass on PHPIDS

About 3 hours, the clock is ticking
Quote

that's possible, but I'm not in the mood

anyhow, my last noscript bypass tooked 15 minutes, I did it for XCon in beijing :P

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 09/06/2009 08:13AM by sirdarckcat.

Options: ReplyQuote
Re: phpids evasion
Posted by: Anonymous User
Date: September 06, 2009 09:03AM

Fixed the issue:

https://trac.php-ids.org/index.fcgi/changeset/1324

Options: ReplyQuote
s
Posted by: Anonymous User
Date: September 06, 2009 12:29PM

v



Edited 1 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

Options: ReplyQuote
i
Posted by: Anonymous User
Date: September 06, 2009 01:01PM

f



Edited 1 time(s). Last edit at 10/16/2009 03:46AM by philip_clarke.

Options: ReplyQuote
l
Posted by: Anonymous User
Date: September 06, 2009 01:21PM

e



Edited 2 time(s). Last edit at 10/16/2009 03:46AM by philip_clarke.

Options: ReplyQuote
n
Posted by: Anonymous User
Date: September 06, 2009 05:52PM

df



Edited 1 time(s). Last edit at 10/16/2009 03:47AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: ma1
Date: September 06, 2009 06:19PM

NoScript's anti-XSS protection is not triggered because you're attacking the mysql site from the mysql site itself, i.e. this is not cross-site scripting.

Just follow the malicious link from ha.ckers.org or any other domain different than mysql, and you'll see NoScript screaming and killing.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 09/06/2009 06:20PM by ma1.

Options: ReplyQuote
e
Posted by: Anonymous User
Date: September 06, 2009 07:25PM

j



Edited 1 time(s). Last edit at 10/16/2009 03:47AM by philip_clarke.

Options: ReplyQuote
s
Posted by: Anonymous User
Date: September 06, 2009 07:31PM

n



Edited 1 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

Options: ReplyQuote
o
Posted by: Anonymous User
Date: September 06, 2009 07:40PM

j



Edited 1 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: sirdarckcat
Date: September 06, 2009 10:56PM

try this:

http://www.google.com/xss?attack=<form>

You need to have your "victim" whitelisted, but with <form <meta <style etc.. it triggers either way.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
d
Posted by: Anonymous User
Date: September 07, 2009 01:27AM

c



Edited 2 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: ma1
Date: September 07, 2009 01:54AM

@philip_clarke:
NoScript by default is tuned to check for injections only when it's necessary, i.e.:

1. The request must be cross-site (this can be overridden by setting noscript.injectionCheck to 3, which will cause NoScript to check every request, even same-site)

2. The target site must be Javascript-enabled (XSS won't work anyway if it's not). Of course, some "dangerous" HTML injections are checked also if the target is not Javascript-enabled yet, as sirdarckcat showed you, and if you allow the site after the request it gets checked during the reload.

3. The target site must not match any of the exceptions listed in NoScript Options|Advanced|XSS. This includes by default Google Search, Yahoo! Search and Wikipedia articles, because they're likely to contain sensible patterns, (especially if user is a coder), but are proven to be safe. Of course you can remove them, if you feel like that.


All the cases you reported as false negative were either same-site (not XSS) or non-whitelisted target (injection won't run).
The noscript.net site triggers because it's included in the default whitelist shipping with NoScript, therefore if it was vulnerable it would need to be protected.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
o
Posted by: Anonymous User
Date: September 07, 2009 03:12AM

k



Edited 1 time(s). Last edit at 10/16/2009 02:11AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: ma1
Date: September 07, 2009 07:49AM

philip_clarke Wrote:
-------------------------------------------------------
>isn't that then a partial implementation then
> [...]
> How far does "the trust
> go ?", doesn't trust html vectors but does trust
> script based vectors ?

I'm not sure about what you mean exactly.
NoScript features a full (not partial) anti-XSS protection against type 0 and type 1 XSS.
Since XSS means "cross-site scripting", there's no reason to check same-site requests or requests landing on sites where scripting is not allowed (and where the attack is doomed to fail anyway).

However NoScript goes beyond this, by checking HTML injections (e.g. <form>, <meta> or <style> which can be used for scriptless phishing purposes) on sites where scripting is not allowed, and by giving users the option to check also same-site requests.

Therefore, rather than "partial", I'd say this is a complete implementation with extras...

Am I missing something?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: phpids evasion
Posted by: rvdh
Date: September 07, 2009 08:00AM

Using javascript from a site itself has been done long time ago, I wrote about it too, plus YouTube was vulnerable 2 years ago to this. Reported, got fixed. That's about it, nothing new, nothing exotic, nothing to protect other than fixing bugs by those who program the damn thing.

Options: ReplyQuote
2
Posted by: Anonymous User
Date: September 07, 2009 10:11AM

@



Edited 3 time(s). Last edit at 10/16/2009 02:10AM by philip_clarke.

Options: ReplyQuote
Re: phpids evasion
Posted by: Anonymous User
Date: September 07, 2009 06:23PM

It's Heyes :)

Options: ReplyQuote
j
Posted by: Anonymous User
Date: September 07, 2009 06:24PM

q



Edited 1 time(s). Last edit at 10/16/2009 02:08AM by philip_clarke.

Options: ReplyQuote
Re: phpids bypass using yui
Posted by: thrill
Date: September 07, 2009 11:17PM

And what does this thread, like your other phpids thread, have to do with obfuscation???

EDIT: Someone was nice enough to merge the other threads created by <insert moronic name here> into the PHP-IDS thread. Danke for doing so!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 09/08/2009 01:21AM by thrill.

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 27 of 31


Sorry, only registered users may post in this forum.