Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IE 8+ single input reflective vector
Posted by: asilvermtzion
Date: September 17, 2012 05:10PM

Bit of a long shot but wondering if something like this is possible?

I want to build an attack which doesn't require clickjacking or similar, but IE seems to have a solid filter in place (both on the uri and response body), am I out of luck? I've tried all variations listed on html5sec.org and to my amazement M$ seems to have patched them all.

Options: ReplyQuote
Re: IE 8+ single input reflective vector
Posted by: Albino
Date: September 18, 2012 02:31AM

When I encountered it ~1 year ago this worked: http://nomoreroot.blogspot.co.uk/2008/08/ie8-xss-filter.html

-------------------------------------------------------
Research blog

Options: ReplyQuote
Re: IE 8+ single input reflective vector
Posted by: asilvermtzion
Date: September 18, 2012 02:50AM

Albino Wrote:
-------------------------------------------------------
> When I encountered it ~1 year ago this worked:
> http://nomoreroot.blogspot.co.uk/2008/08/ie8-xss-f
> ilter.html

Thanks Albino, yes that still works I believe, but as a two stage attack naturally it requires user interaction, or clickjacking, which I would like to avoid.

I've been trying variants for the last 10 hours with no luck yet :(

Did see an interesting paper by sirdarckcat (http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf) but it's a little tricky to pull off.

Options: ReplyQuote
Re: IE 8+ single input reflective vector
Posted by: Gareth Heyes
Date: September 18, 2012 04:12AM

Two stage attack is lame =) try harder.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: IE 8+ single input reflective vector
Posted by: asilvermtzion
Date: September 18, 2012 06:00AM

Gareth Heyes Wrote:
-------------------------------------------------------
> Two stage attack is lame =) try harder.

The filter just seems to be ridiculously punitive, I have found a few vectors which beat the initial URI matching but not the second match routine after parsing, it seems to make encoding tricks obsolete.

I thought I was getting somewhere by using the &colon; XML entity within an <svg><style> block, which passed by unmolested (I was able to set a background image, for example) until I tried the various ways of gaining execution inside CSS, all of which were filtered out irrespective of encoding.

I could use a hint ;_; will not give up though!



Edited 2 time(s). Last edit at 09/18/2012 06:13AM by asilvermtzion.

Options: ReplyQuote


Sorry, only registered users may post in this forum.