Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 

Pages: 12345...LastNext
Current Page: 1 of 58
Results 1 - 30 of 1738
9 months ago
Gareth Heyes
@LeverOne Thanks so much, you are an immense help. I'll format the rules and fix them when I get chance. Once again thank you, you have made mentaljs awesome.
Forum: XSS Info
10 months ago
Gareth Heyes
Hey I've finally managed to do some fixes, fixed that damn attribute attack and the others. Can you break it?? Also do you think the parser itself is unbreakable now? It must be pretty tough to beat now.
Forum: XSS Info
1 year ago
Gareth Heyes
Welcome, read up on the obfuscation section that's a cool place to start.
Forum: Intro
1 year ago
Gareth Heyes
Welcome
Forum: Intro
1 year ago
Gareth Heyes
Ok maybe I'm being stupid but if you verify the origin then how can you be CSRF'd unless it's from the valid server via XHR?
Forum: CSRF and Session Info
1 year ago
Gareth Heyes
Not sure what the problem is here X-Requested-With is a custom header added by Django, it's possible to set a custom header using a redirect and that was bypassed. If you're using origin then it shouldn't be a problem. If origin isn't set then the request won't happen anyway because it's validated by CORS.
Forum: CSRF and Session Info
1 year ago
Gareth Heyes
Ack. Ugh. I should have setup some tests. I assummed that since the node wasn't actually html the attributes wouldn't be affected by dom clobbering techniques obviously I was wrong :( I'll have to check it's the real attributes again =)
Forum: XSS Info
1 year ago
Gareth Heyes
Damn. This is tricky. I also need to prevent call/apply too :( document.body.innerHTML='<script> </script>'; x=document.getElementsByTagName('script')[2].cloneNode(); document.body.appendChild.call(x,document.createTextNode('1')); document.body.appendChild.call(x,document.createTextNode('/alert(location)/+0')); document.body.appendChild(x); I need to do the sandbox step just
Forum: XSS Info
1 year ago
Gareth Heyes
My parser waits in fear and anticipation of the great lever one mass pwnage.
Forum: XSS Info
1 year ago
Gareth Heyes
I'm back after a huge delay :) if you are still interested in the project I've rewritten a lot of the parser to be much faster. I've removed browser syntax verification because chrome is fucked. Here's an exploit using the chrome bug which I fixed: Function("/*", "*/){},alert(location),function(){") I can now parse jQuery in 25-50ms :) I've fixed the dom hacks by basically
Forum: XSS Info
2 years ago
Gareth Heyes
Wow thanks! I've fixed all those. I'm currently struggling with chrome at the moment, there seems to be a large delay processing the initial js. I might have to make my code smaller and use less calls to charCodeAt.
Forum: XSS Info
2 years ago
Gareth Heyes
As always thanks and thanks for pointing out my stupid mistakes. For the moment I've disabled innerText/textContent on style. I check the tagName inside the setter so if you can set tagName to something else then you can bypass it but it appears that it is read only in the browser. I will add CSS parsing insider the setter later.
Forum: XSS Info
2 years ago
Gareth Heyes
Thanks and fixed. I've changed how I remove attributes and fixed a couple of things with the ASI.
Forum: XSS Info
2 years ago
Gareth Heyes
Unfortunately I don't have time to illustrate every feature with a video :( pretty much the same functionality is there though you just have to hover over the tags in the menu and it will tell you the options available. The new version of Hackvertor will present the tag options in a menu rather than having to type manually once I get round to it.
Forum: Obfuscation
2 years ago
Gareth Heyes
Ugh ack. Two bugs. 1. Spaces character check is invalid range 2. isVariablePart is accepting para/line separarators =) Update.. Fixed. This was because I copied a regex of valid variables then did a conversion to ranges but either the regex was wrong or my conversion function went wrong. I've redone it using a manual check using eval in the browser to see if they are valid variables. Sorry
Forum: XSS Info
2 years ago
Gareth Heyes
Ok wow fixed those. - Rewrote octals because who uses them anyway - You made me add a function for asi. It's slower but needed to avoid the same mistakes in different places. - Also fixed the number state machine to return an error with unexpected exponent if one was not included.
Forum: XSS Info
2 years ago
Gareth Heyes
Thanks and fixed. I force a space after some keywords I missed. Luckily these are stupid human mistakes from me and not an attack on the technique. Also added a semi colon after return, break or continue:
Forum: XSS Info
2 years ago
Gareth Heyes
Niiiiice :) very cool exploit of my asi. I now check the context and insert a for semi instead of semi if require so the { becomes a object literal.
Forum: XSS Info
2 years ago
Gareth Heyes
I'm currently rewriting again but this time not relying on the browser to validate syntax. I'm going to write it all and unable us to define rules and hopefully fix these syntax based attacks. Oh and it should be even faster since I'm now using if statements and very limited amount of functions. Update... New version is up: Google code page: You will notice the parsing is much faster
Forum: XSS Info
2 years ago
Gareth Heyes
Ok arch nemesis I now force divide and regex and =/ Fixed those. You have a new toy as well, dom api. b=document.createElement('b');b.appendChild(document.createTextNode('hello world!'));document.querySelector('form').appendChild(b); Update... and jQuery :O 1. Hit load jQuery 2. Hit execute 3. $ now contains a reference to a sandboxed jQuery!!
Forum: XSS Info
2 years ago
Gareth Heyes
Quote :) In my opinion it's more fun, when "a lot of other parsers have problems". XD
Forum: XSS Info
2 years ago
Gareth Heyes
Fair enough I'll upload to google code, what license do you prefer? I consider you an owner of this project too since without you it would be nothing. BTW your tests are amazing, have you considered releasing a js parser test suite? The edge cases are really really tricky to parse and a lot of other parsers have problems. There is a new version uploaded now. I'll put it on google code when
Forum: XSS Info
2 years ago
Gareth Heyes
1. Doh. I've fixed the var statement stuff by adding it to current expression tracking. 2. Yeah ooops I need to sort that 3. Any reason you need it there? Easier for looking at code? I didn't get any code contributions from anyone last time so I didn't bother. Update... You might want to wait until I fix a lot of things :) need to restructure how function statements, function expressions and
Forum: XSS Info
2 years ago
Gareth Heyes
I wrote a new parser I've checked it against previous attacks and the syntax problems list from lever one. I should be in a better position to fix issues now since I can match paren expressions and object literals etc more easily.
Forum: XSS Info
2 years ago
Gareth Heyes
nutscape aka Netscape Navigator
Forum: Obfuscation
2 years ago
Gareth Heyes
Two stage attack is lame =) try harder.
Forum: Obfuscation
2 years ago
Gareth Heyes
This was just for you :)
Forum: Intro
2 years ago
Gareth Heyes
ripper Wrote: > Well thx mate...Any good tuts about > non-alphanumeric PHP ?? Did a blog post here: and there's some stuff in my slides: (pdf) I didn't do a tutorial as such but if enough people ask I might do a blog post I suppose
Forum: Intro
2 years ago
Gareth Heyes
Welcome, look at lightos and reiners posts those guys love SQLi and are pretty damn awesome at it.
Forum: Intro
Pages: 12345...LastNext
Current Page: 1 of 58