IE only

[demo.php-ids.org]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 08/01/2009 05:14AM by Gareth Heyes.

1' and 0x1abc like 0x88 or '1
1' and 0x1abc like 0x88 or '0

Thx guys! Fixes will be done coming Wednesday - I will be back @home Tuesday night.

Got it before Mario can fix it (IE only click the links):-
vbs:MsgBox-1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

:)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

z



Edited 3 time(s). Last edit at 10/16/2009 02:10AM by philip_clarke.

philip_clarke Wrote:
-------------------------------------------------------
> To be effective against this type of vector,
> PHP-IDS etc.. now needs to take into account all
> of the libraries methods and constructs such as
> jQuery, mootools etc...

Not necessarily...
Did you try to use that vector cross-site with NoScript installed?
e.g. http://noscript.net/?p='%27%2CjQuery%28%22.fred%22%29.html%28%2F%40thrill+you+have+community+work+to+do%2F%2B%2F+%26+%40sirdarckcat+I+would+not+stoop%2F%29%3B%27a ?
:)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

we



Edited 2 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

> if you are going to attempt to show off sirdarckcat you may want to use a vector that passes through php-ids

lol, that's possible, but I'm not in the mood to bypass those.. I will now declare that I have an imaginary potential (and copyrighted under imaginary laws) bypass and I can also make it evade noscript (in what you failed.).

The fact that I can find such bypass (even if I havent) can be confirmed by .mario & ma1, (I dont even need to find it, they trust I can).

Anyway, I congratulate you for finding a bypass on PHPIDS, hopefully you can reduce those 3 hours for the next time, since thats way too slow.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

f



Edited 2 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

Quote

... , admit that I have found a ...

I dont like to repeat myself..

Quote

Anyway, I congratulate you for finding a bypass on PHPIDS

About 3 hours, the clock is ticking

Quote

that's possible, but I'm not in the mood

anyhow, my last noscript bypass tooked 15 minutes, I did it for XCon in beijing :P

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 09/06/2009 08:13AM by sirdarckcat.

Fixed the issue:

https://trac.php-ids.org/index.fcgi/changeset/1324

v



Edited 1 time(s). Last edit at 10/16/2009 03:45AM by philip_clarke.

f



Edited 1 time(s). Last edit at 10/16/2009 03:46AM by philip_clarke.

e



Edited 2 time(s). Last edit at 10/16/2009 03:46AM by philip_clarke.

df



Edited 1 time(s). Last edit at 10/16/2009 03:47AM by philip_clarke.

NoScript's anti-XSS protection is not triggered because you're attacking the mysql site from the mysql site itself, i.e. this is not cross-site scripting.

Just follow the malicious link from ha.ckers.org or any other domain different than mysql, and you'll see NoScript screaming and killing.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 09/06/2009 06:20PM by ma1.

j



Edited 1 time(s). Last edit at 10/16/2009 03:47AM by philip_clarke.

n



Edited 1 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

j



Edited 1 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

try this:

http://www.google.com/xss?attack=<form>

You need to have your "victim" whitelisted, but with <form <meta <style etc.. it triggers either way.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

c



Edited 2 time(s). Last edit at 10/16/2009 03:35AM by philip_clarke.

@philip_clarke:
NoScript by default is tuned to check for injections only when it's necessary, i.e.:

1. The request must be cross-site (this can be overridden by setting noscript.injectionCheck to 3, which will cause NoScript to check every request, even same-site)

2. The target site must be Javascript-enabled (XSS won't work anyway if it's not). Of course, some "dangerous" HTML injections are checked also if the target is not Javascript-enabled yet, as sirdarckcat showed you, and if you allow the site after the request it gets checked during the reload.

3. The target site must not match any of the exceptions listed in NoScript Options|Advanced|XSS. This includes by default Google Search, Yahoo! Search and Wikipedia articles, because they're likely to contain sensible patterns, (especially if user is a coder), but are proven to be safe. Of course you can remove them, if you feel like that.


All the cases you reported as false negative were either same-site (not XSS) or non-whitelisted target (injection won't run).
The noscript.net site triggers because it's included in the default whitelist shipping with NoScript, therefore if it was vulnerable it would need to be protected.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

k



Edited 1 time(s). Last edit at 10/16/2009 02:11AM by philip_clarke.

philip_clarke Wrote:
-------------------------------------------------------
>isn't that then a partial implementation then
> [...]
> How far does "the trust
> go ?", doesn't trust html vectors but does trust
> script based vectors ?

I'm not sure about what you mean exactly.
NoScript features a full (not partial) anti-XSS protection against type 0 and type 1 XSS.
Since XSS means "cross-site scripting", there's no reason to check same-site requests or requests landing on sites where scripting is not allowed (and where the attack is doomed to fail anyway).

However NoScript goes beyond this, by checking HTML injections (e.g. <form>, <meta> or <style> which can be used for scriptless phishing purposes) on sites where scripting is not allowed, and by giving users the option to check also same-site requests.

Therefore, rather than "partial", I'd say this is a complete implementation with extras...

Am I missing something?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Using javascript from a site itself has been done long time ago, I wrote about it too, plus YouTube was vulnerable 2 years ago to this. Reported, got fixed. That's about it, nothing new, nothing exotic, nothing to protect other than fixing bugs by those who program the damn thing.

@



Edited 3 time(s). Last edit at 10/16/2009 02:10AM by philip_clarke.

It's Heyes :)

q



Edited 1 time(s). Last edit at 10/16/2009 02:08AM by philip_clarke.

And what does this thread, like your other phpids thread, have to do with obfuscation???

EDIT: Someone was nice enough to merge the other threads created by <insert moronic name here> into the PHP-IDS thread. Danke for doing so!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 09/08/2009 01:21AM by thrill.