Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
The ha.ckers.org and sla.ckers.org web application security lab house rules and a place for you to introduce yourself if you like. 

Current Page: 1 of 1
Results 1 - 19 of 19
4 years ago
lat
I have a web page that allows me to inject arbitrary unfiltered payloads within <script> tags but only after the following javascript statements: script type="text/javascript"> <!-- document.body.innerHTML = window.opener.document.body.innerHTML; copyValues(window.opener.document, document); addInWindowToAction(document.forms[0]) document.forms[0].__EVENTTARGET.value
Forum: XSS Info
4 years ago
lat
svn checkout http://attackapi.googlecode.com/svn/trunk/ attackapi-read-only
Forum: XSS Info
4 years ago
lat
I'm aware of the Java method, and decloak.net uses that too. I want to use decloak.net as it seems to be the most comprehensive. My only question is, how I can include that as part of my demo payload.
Forum: CSRF and Session Info
4 years ago
lat
I want to use http://decloak.net/decloak.html in my XSS payload to extract the victim's internal IP. How can I include that script in the payload, via an iframe for example, then extract the results URL to send back to me?
Forum: CSRF and Session Info
5 years ago
lat
I came across the following Java class that allows you to enumerate the internal IP on IE. http://reglos.de/myaddress/MyAddress.html In FF, I can use JavaScript to create a java.net.Socket and get the internal IP, but that method does not work in IE. The source for the class is is not available, any ideas on how this is done in Java? - lat
Forum: Privacy
5 years ago
lat
Except that IE returns a generic 400 error message and not the actual server response.
Forum: XSS Info
5 years ago
lat
I have an app that returns unsantised payloads in its 400 error message. The only problem is when I sent a request like /blah?<script>alert(1)</script> the <> tags get encoded by the browser and the app doesn't decode them back in the error message. If I send the request via telnet or a proxy, the payload is returned untouched. Is it possible to exploit this?
Forum: XSS Info
5 years ago
lat
semicolons are filtered as well. Is there a way to substitute the semicolon in the moz-binding or DIV expression and still have the payload work?
Forum: XSS Info
5 years ago
lat
I have an app that filters on the < and > symbols but otherwise injects everything else into the value of a <input type=hidden> field. To demonstrate the issue, I thought of injecting an onevent handler, but suspect that this might not work bc the input field type is hidden. Is it indeed possible to exploit this? How?
Forum: XSS Info
5 years ago
lat
The app I'm testing has a script that echoes a parameter unfiltered within its response. The thing is, the server response has the Content-Type set to application/x-javascript . Is it possible to exploit the script under this scenario?
Forum: XSS Info
5 years ago
lat
As someone who does not yet own a smart phone, what risks are unique to browsing the web through one of these devices?
Forum: Wireless Security
5 years ago
lat
Back in the days of FF1 and FF2, you could enumerate whether a use was logged into various sites by including certain pages withing <script src> tags and monitoring the JavaScript error produced, as in http://ha.ckers.org/weird/javascript-website-login-checker.html Are there any techniques available to do the same in FF3 and IE7?
Forum: XSS Info
5 years ago
lat
Thanks for the links. I checked them out and have learned a lot. At this point I'm stuck on the following function from AttackAPI. I can't find any reference to the onfound method in any JavaScript documentation. Can someone explain to me what the 'check' function does? Thanks AttackAPI.dom.scanExtensions = function (scan) { var signatures = (scan.signatures != undefined)?scan.signatures:A
Forum: Intro
5 years ago
lat
I'd like to launch calc.exe for a PoC demonstrating XSS. According to https://developer.mozilla.org/En/Code_snippets:Running_applications I should be able to inject something like the following to launch calc.exe via Firefox on WinXP: <script> run calc.exe var file = Components.classes["@mozilla.org/file/local;1"] .createInstance(Components.interfaces.nsI
Forum: XSS Info
5 years ago
lat
Are there any techniques to remotely bypass the browser port restrictions (i.e. that restrict the browser from sending requests to say TCP port 25) that still work on recent IE, FF or Opera browsers?
Forum: CSRF and Session Info
5 years ago
lat
Thanks, just a thought, if I used frames, would that stop someone from being able to view sensitive data by pressing on the back button?
Forum: CSRF and Session Info
5 years ago
lat
17. Caching
I'm looking for ways to force browsers not to cache data. I've included the following header in both HTTP and HTTPS server responses: Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate but after I browse away and log off from the app (but do not close the browser), I can still press the back button on the browser (tested on Opera 9.10 and iceweasel 2.0) or set the browser i
Forum: CSRF and Session Info
5 years ago
lat
My initial thinking was: o I'd like to understand how you guys find those obscure Javascript methods to exploit XSS o I'd like to understand how XSS can be used to install malware on a machine. I understand how you could force a download, but not how you would force an installation. o I'd like to get involved with the AttackAPI project, which is written in Javascript (yet the source nee
Forum: Intro
5 years ago
lat
I'm not sure which forum this fits into best, but I'm looking for suggestions of good resources / books to learn Javascript.
Forum: Intro
Current Page: 1 of 1