Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12345...LastNext
Current Page: 1 of 9
Results 1 - 30 of 242
4 years ago
ma1
> isn't there any way to allow site be iframed and > prevent most clickjacking vectors? if you mean "iframed by a 3rd, possibly hostile party" answer is no, you're doomed.
Forum: XSS Info
4 years ago
ma1
> 1. Frame-killers. E.g. from OWASP > if (top!=self) > top.location.href=self.location.href This one can be easily circumvented. Better if (top != self) location = "about:blank"; > 2. Usage of X-FRAME-OPTIONS Header You MUST use both, because Javascript framebusters are even more fragile in browsers which implement X-Frame-Options (it's not a coincidence).
Forum: XSS Info
4 years ago
ma1
Slightly OT, NoScript's interference with timeouts in bookmarklet is fixed in 1.9.9.15. Thanks SDC for reporting.
Forum: OMG Ponies
5 years ago
ma1
philip_clarke Wrote: ------------------------------------------------------- >isn't that then a partial implementation then > [...] > How far does "the trust > go ?", doesn't trust html vectors but does trust > script based vectors ? I'm not sure about what you mean exactly. NoScript features a full (not partial) anti-XSS protection against type 0 and type 1 XSS.
Forum: Projects
5 years ago
ma1
@philip_clarke: NoScript by default is tuned to check for injections only when it's necessary, i.e.: 1. The request must be cross-site (this can be overridden by setting noscript.injectionCheck to 3, which will cause NoScript to check every request, even same-site) 2. The target site must be Javascript-enabled (XSS won't work anyway if it's not). Of course, some "dangerous" HTML i
Forum: Projects
5 years ago
ma1
NoScript's anti-XSS protection is not triggered because you're attacking the mysql site from the mysql site itself, i.e. this is not cross-site scripting. Just follow the malicious link from ha.ckers.org or any other domain different than mysql, and you'll see NoScript screaming and killing.
Forum: Projects
5 years ago
ma1
philip_clarke Wrote: ------------------------------------------------------- > To be effective against this type of vector, > PHP-IDS etc.. now needs to take into account all > of the libraries methods and constructs such as > jQuery, mootools etc... Not necessarily... Did you try to use that vector cross-site with NoScript installed? e.g. http://noscript.net/?p='%27%2CjQuer
Forum: Projects
5 years ago
ma1
The "cool" thing is that, since this is a DOM XSS (type 0), it is completely ignored by IE 8's XSS protection ;)
Forum: Full Disclosure
5 years ago
ma1
@tx: could you please tear down that old "PoC" of yours, since I still receive email message like the following: Quote Hello, Just got your latest noscript update, but it still fails this site (no warning given) It's quite an annoyance having to explain yours is not clickjacking again and again, since your PoC says "clickjacking bypassing ClearClick". Thanks...
Forum: Full Disclosure
5 years ago
ma1
Gareth Heyes Wrote: ------------------------------------------------------- > Can this be beaten? > > http://www.thespanner.co.uk/2009/04/08/overwriting > -native-functions-in-javascript/ Yes, it can be beaten quite easily: try { // Firefox delete window.alert; } catch(e) { // IE with(document) window.alert = body.appendChild(createElement("frame")).content
Forum: XSS Info
5 years ago
ma1
Looks like it's not "again": we had been too much happy for the "fix" in Fx 3, overlooking that it didn't prevent 3rd party stylesheets from loading XBL from their domains. The correct approach IMHO (and what I believe everybody including Jonas Sicking mistakenly assumend the previous "fix" was about) is NoScript's: blocking every cross-site XBL. On a good.com page,
Forum: XSS Info
5 years ago
ma1
Not sure about NoScript 3 (have you got a link?), but this 20 secs "hang" is fixed in NoScript 1.9.0.9, thanks ;)
Forum: DoS
5 years ago
ma1
@Gareth, zatoichi: the constructor override thing was a loophole left open by the ECMAScript specification, and fixed more than one year ago in Firefox. So don't waste your time anymore over it ;) The setter technique still works, though. P.S.: no, Firefox doesn't use WScript, fortunately (and quite obviously, since it's cross-platform). Mozilla's engine is called SpiderMonkey.
Forum: XSS Info
5 years ago
ma1
@DoctorDan: there's no "equivalency" or other magic there. If multiple indexes are given for a bracket accessor, the last one gets evaluated: var o = { a: "first property", b: "second property", c: "third property" }; alert(o["a", "b"]); // this shows "second property"
Forum: XSS Info
5 years ago
ma1
http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/
Forum: News and Links
5 years ago
ma1
@thornmaker: nice, you gave me inspiration for a shorter one: '\ MsgBox 1'
Forum: XSS Info
5 years ago
ma1
@Gareth: Your spambam thing apparently eats c-style comments even if they're urlencoded, that's why you didn't manage to run my entry on your blog. <script type="text/vbscript"> ''/* MsgBox 1'*/ </script> <script type="text/javascript"> ''/* MsgBox 1'*/ </script> You can run it live here.
Forum: XSS Info
6 years ago
ma1
Hi tx, Thank you for trying, but how does this qualify as "clickjacking", exactly? 1. both the frames are on the same domain 2. the two buttons are identical 3. there's no form involved In other words, what's the advantage for the attacker, compared to putting the logout link directly on the main page, with no frames involved? Clickjacking is different from CSRF, albeit simil
Forum: Full Disclosure
6 years ago
ma1
I didn't write much about the attack itself, because I respect the reasons for not disclosing it, but I wrote something about defense: http://hackademix.net/2008/09/27/clickjacking-and-noscript/ http://hackademix.net/2008/09/29/clickjacking-and-other-browsers-ie-safari-chrome-opera/ http://hackademix.net/2008/10/02/clickjacking-protection-by-default/
Forum: News and Links
6 years ago
ma1
@digi7al64: DNS rebinding is more likely to succeed against intranets because internet sites are usually virtual hosted and/or depend on the HOST header being correct, while intranet web apps can often be addressed by IP, ignoring HOST.
Forum: Projects
6 years ago
ma1
@yawnmoth: http://hackademix.net/2007/12/25/merry-xssmas/#comment-9144
Forum: XSS Info
6 years ago
ma1
@RSnake, Metahuman, trev: maybe Metahuman believed it was fixed because he's using NoScript, which has been blocking this kind of "attack" (automatic opening of external protocol URLs) for a long time.
Forum: DoS
6 years ago
ma1
@emonk: It could happen in Firefox < 1.5.0.6, unless you explicitely wrapped every DOM node you manipulated into an XPCNativeWrapper (a typical beginner error). Doing this "the safe way" was quite painful, though (I had very ugly code inside my FlashGot overlay which I still strive to clean up now), so starting with Firefox 1.5.0.6 XPC deep wrapping has been made automatic, i.e. y
Forum: CSRF and Session Info
6 years ago
ma1
Uhm, OK, it's about social engineering then. I admit I didn't ready your OP carefully enough, and I'm afraid I cannot help because it's not exactly my field...
Forum: XSS Info
6 years ago
ma1
Why do you need them to click? Once they're on your page, just <iframe> or meta refresh them (or use scripting, if your page is allowed to).
Forum: XSS Info
6 years ago
ma1
FIXED Now that it's fixed, I'll explain my innuendo to Ebay's "scary and brainless" issue, which reminds me closely last month's Base64 Yahoo one. Your PoC was hxxp://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27 and it did not bypass NoScript. I guess you meant to write it in the "mixed plus&qu
Forum: Projects
6 years ago
ma1
@sdc: On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection. But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)
Forum: Projects
6 years ago
ma1
@sdc: nice findings, thanks. Fixes for both on their way :)
Forum: Projects
6 years ago
ma1
@sirdarckcat: NoScript used to decode base64 window.name, but not the URI itself, on the assumption that if the attacker wants to decode something from the URI he needs to isolate it first, and two function calls (atob() + whatever needed to isolate the payload) are detected by ordinary filters, whereas base64 window.name can be pulled out with just location=atob(name) or obfuscated equivalent.
Forum: XSS Info
6 years ago
ma1
Sorry, I did not notice this topic at the right time -- probably because I was busy with fixing this very issue... @.mario: you're right, I released a patch in less than one hour while you were commenting here, since I read about it in jackson's blog.
Forum: XSS Info
Pages: 12345...LastNext
Current Page: 1 of 9