Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 67
3 years ago
p0deje
Hello, I currently pentest ASP.NET application and trying to exploit Padding Oracle Attack. Those AFAIK are based on response code analysis, but both ScriptResource and WebResource axds of the system under test always response with 200 OK, even if cipher has been invalid. In this case, however, the content of the response is an empty string. So, the question is if it's possible to use any of
Forum: OMG Ponies
3 years ago
p0deje
Hello slackers, I currently work on CSP implementation. It has admin page for setting up policies. Apart from HTTP header, I place directives to <meta> tag. Like this: print('<meta http-equiv="X-Content-Security-Policy" content="' . $directives . '" />'); It's necessary to validate directives as long as I put them to HTML. I currently got to regex: [^( \.\*\/
Forum: XSS Info
3 years ago
p0deje
Text field. Input has both client-side size restriction (via maxlength="16" attribute) and server-side size restriction.
Forum: XSS Info
3 years ago
p0deje
@Gareth There was no server-side restrictions a couple of days ago. Now there is. I've just understood what you've been trying to explain to me. Sorry, I didn't thought about CSRF :(
Forum: XSS Info
3 years ago
p0deje
@Kyo Thanks for the link. I didn't face it before. Still, don't think I do not understand the idea of XSS, because I do. Now, however, social engineering won't help in this situation because besides of size attribute, server-side limitation has been added, so even if we remove size attribute, we'll face an error of "16 chars max".
Forum: XSS Info
3 years ago
p0deje
Okay. I posted a code of the vulnerable input. As you see, it has HTML restrictions to the size. Of course, I can remove size attribute but that's not the answer I've been looking for as long as trying to force the victim to do it is a bad idea. I've just hoped you guys know some less than 16 chars vectors. @Gareth Sorry for bothering :(
Forum: XSS Info
3 years ago
p0deje
@Albino Come on, didn't you notice an irony in my question about victim's actions? I thought a smile would be enough, hah
Forum: XSS Info
3 years ago
p0deje
So, no ideas at all? Damn, I thought you guys help me...
Forum: XSS Info
3 years ago
p0deje
Yeah I can. Will the victim do it too? :)
Forum: XSS Info
3 years ago
p0deje
Here is the code of the vulnerable input field. <input type="text" maxlength="16" name="field_country[0]" id="edit-field-country-0-postal-code" size="16" value="" class="form-text" /> There is no injection after and the page just renders what you entered.
Forum: XSS Info
3 years ago
p0deje
As subject. No sanitizing, only size limit. I'm running out of ideas. Do you have any?
Forum: XSS Info
3 years ago
p0deje
It's good to see forum up again! I have a pretty simple question. I want to connect to the remote server's SMTP (Exim), but it won't authorize me as long as my domain name is not listed in /etc/localdomains. Is it possible to fake domain name I send, so it would match the one listed in localdomains. I suppose it can be done with proxies but not sure how exactly do this.
Forum: Networking
4 years ago
p0deje
http://na.blackberry.com/eng/developers/resources/simulators.jsp <- Blackberry
Forum: Mobile Devices
4 years ago
p0deje
<bgsound src='javascript:alert(1)'> - Opera, IE
Forum: XSS Info
4 years ago
p0deje
IE changes iframe src to about:blank if saving as "Webpage, full". But saving it as "Webpage, only HTML" preservers src. Still, IE blocks JS by default. I'm just curious, isn't "forbid reading of file://" security standard? Because Firefox and Webkit using it.
Forum: OMG Ponies
4 years ago
p0deje
Hi everybody. Can anybody explain me why Opera and IE still allows reading of iframe with file:// src from the html of same protocol (whereas Firefox and Chrome forbids it)? Cause if user saves the page with such iframe locally and opens it, JS can read its innerHTML and send it anywhere. P.S. Curious: local open of html file with <iframe src="file:///C:\WINDOWS\NOTEPAD.EXE">
Forum: OMG Ponies
4 years ago
p0deje
if it's unfiltered as you say, why not </script><script>alert(1)</script>
Forum: XSS Info
4 years ago
p0deje
for Firefox 3.6.8 it executes from time to time (cannot necessary behavior) same exploit works always in Opera 10.61 doesn't work for Chrome 6 (requires page reload)
Forum: XSS Info
4 years ago
p0deje
you can use data URI scheme attack vector e.g. ?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= works in FF3.6
Forum: XSS Info
4 years ago
p0deje
that's a simple framebuster, which can be busted look http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed
Forum: XSS Info
4 years ago
p0deje
As long as I didn't find any resource about all browser security opportunities, I want to collect all possible information within this thread. Question is: How can website developer mitigate webapp vulnerabilities using browsers' security models? That's what I've found. -- XSS -- 1. X-Content-Security-Policy HTTP header. Supported by Firefox 3.? https://wiki.mozilla.org/Security/CSP/Spec
Forum: XSS Info
4 years ago
p0deje
I guess you are talking about XSS, aren't you? What if they use a very tough sandbox and filtering? However, I've got it - this kind of attack is supposed to be incredible, because other more serious vectors will occur in such circumstances. Thanks :)
Forum: XSS Info
4 years ago
p0deje
I've decided not to create a new thread for this, cause it's about Clickjacking. I had a quick talk with Giorgio Maone, because it looked wrong for me that ClearClick bypasses clickjacking if it's done within same domain. He told that there is no precedent of same-domain Clickjacking attack except related to plugin object. Cross-domain is a one of the main concepts of Clickjacking/UI Redressing
Forum: XSS Info
4 years ago
p0deje
can you point me to some doc about disabling JS/CSS selectively via XSS filters? google didn't help me a lot
Forum: XSS Info
4 years ago
p0deje
or just use Opera Tools -> Advanced -> Cookies
Forum: XSS Info
4 years ago
p0deje
explain me<script> if (top === self) { document.write("<!--"); } </script> <style> body { display: none; } </style> <! stop document writing -->this trick is useful because usual framebuster, which is a particular script, can be disabled with XSS filter but you say that stylesheet can be disabled with XSS filter then what's the deal of
Forum: XSS Info
4 years ago
p0deje
even though using comment like <!-- blah-blah --> worked in simple HTML file, when I added it to drupal, document.writing wasn't stopped by this comment. I had to change comment to <! blah-blah --> and that way it worked in all major browsers
Forum: XSS Info
4 years ago
p0deje
thanks to everybody, module was released http://drupal.org/project/safeclick
Forum: XSS Info
4 years ago
p0deje
http://p0deje.blogspot.com/2010/03/safeclick-testing-review.html
Forum: XSS Info
4 years ago
p0deje
problem is that it's impossible to make urlbar scroll down without user manipulation
Forum: CSRF and Session Info
Pages: 123Next
Current Page: 1 of 3