Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 56
1 year ago
asilvermtzion
Gareth Heyes Wrote: ------------------------------------------------------- > Two stage attack is lame =) try harder. The filter just seems to be ridiculously punitive, I have found a few vectors which beat the initial URI matching but not the second match routine after parsing, it seems to make encoding tricks obsolete. I thought I was getting somewhere by using the : XML ent
Forum: Obfuscation
1 year ago
asilvermtzion
Albino Wrote: ------------------------------------------------------- > When I encountered it ~1 year ago this worked: > http://nomoreroot.blogspot.co.uk/2008/08/ie8-xss-f > ilter.html Thanks Albino, yes that still works I believe, but as a two stage attack naturally it requires user interaction, or clickjacking, which I would like to avoid. I've been trying variants for the las
Forum: Obfuscation
1 year ago
asilvermtzion
Bit of a long shot but wondering if something like this is possible? I want to build an attack which doesn't require clickjacking or similar, but IE seems to have a solid filter in place (both on the uri and response body), am I out of luck? I've tried all variations listed on html5sec.org and to my amazement M$ seems to have patched them all.
Forum: Obfuscation
1 year ago
asilvermtzion
Not to worry, I found something to work with, looks like SVG is a particularly fruitful area.
Forum: XSS Info
1 year ago
asilvermtzion
Been out of the loop for a while, looks like the mainstream browsers have upped their game in terms of reflective XSS filters since I last looked, in particular I'm struggling to get anything working with Chrome as it removes any onerror, onmouseover attributes, strips anything within script tags, I saw some recent challenges that were using multiple inputs to fool the filters, is that what it tak
Forum: XSS Info
5 years ago
asilvermtzion
shouldnt it be base64'd? also what is that vuln on the java forums, is that a bbcode exploit?
Forum: XSS Info
5 years ago
asilvermtzion
Ah ok, so you are using a traditional token, combined with a js generated token. The server side generates the strings I presume, therefore you simply run the same algorithm when the form is submitted and check the values match. Noticed the frame breaker as well, seems like a pretty effective all-round routine. A not strictly csrf question but in this example, if I were to use the browser's &qu
Forum: CSRF and Session Info
5 years ago
asilvermtzion
Haha, tested this on my brother, it spawned enough IE windows that the only way out was a reboot. How the heck does it work even with javascript disabled?
Forum: DoS
5 years ago
asilvermtzion
Examples of using Javascript based sessions?
Forum: CSRF and Session Info
5 years ago
asilvermtzion
This is made of win and awesome. Do want ff3 version
Forum: Projects
5 years ago
asilvermtzion
That's very neat, I do think implementing CRSF protection from the ground up is a more structured approach, however this is certainly great for legacy applications. I like the concept of the XHR wrapper, it's surprising how little people take this into consideration.
Forum: News and Links
5 years ago
asilvermtzion
im in ur internetz, stealin all ur sql toolz
Forum: SQL and Code Injection
5 years ago
asilvermtzion
If you have a vuln on a subdomain, obviously you can't access the main domain. I know you can circumvent this by setting document.domain on both sides, however when I tested it, if you don't actually manually set document.domain on the target it doesn't work? Perhaps someone could explain the theory behind that. Also, are there any other ways to meddle with SOP? I know you can hook window.open
Forum: CSRF and Session Info
5 years ago
asilvermtzion
I actually just pissed myself laughing at the seizure one, reminds me of the 4chan raid
Forum: Full Disclosure
5 years ago
asilvermtzion
That's mental. I thought SOP covered sub-domains as well though?
Forum: CSRF and Session Info
5 years ago
asilvermtzion
You've got to be kidding!
Forum: Full Disclosure
5 years ago
asilvermtzion
Why wait a month? You should set a minimum period for acknowledgement and a later date for fix implementation, and let them know that up front.
Forum: Full Disclosure
5 years ago
asilvermtzion
I guess what I'm asking is, if an argument is passed as a string (the document.pathname paramater), is there a vector which would let you break out of that and have it parsed.
Forum: XSS Info
5 years ago
asilvermtzion
http://www.ipbplaza.uni.cc/%3Ctest%3E function get_path() { if (document.location.pathname != undefined) { return document.location.pathname.replace( /[<]/g, "&lt;").replace(/[>]/g, "&gt;"); } else { return "&nbsp;"; } } Something tells me that's not a good approach.
Forum: XSS Info
5 years ago
asilvermtzion
Any updates on this? If I were you I'd have used it for personal gains lol. I'd like to see a PoC now it's been in the public domain for a while
Forum: Search Engine Hacking and SEO
5 years ago
asilvermtzion
Ha, thanks. I'm too lazy to install visual studio etc. it seems reasonably effective, at least it detects tags or events and some keywords. There is definitely scope to work around it though given it's "blacklisting" approach.
Forum: CSRF and Session Info
5 years ago
asilvermtzion
Haha, the awstats thing is mental.
Forum: Full Disclosure
5 years ago
asilvermtzion
Not run into this before (ASP built in detection), anyone know how this works and what it's based on?
Forum: CSRF and Session Info
6 years ago
asilvermtzion
Hi Gareth, I'm just getting that filtered to: <a href="data&amp;#x00003atext/html,">test</a> Looking at the code some more, seems to be some extra regex outside of the html filter: $text = str_replace('&&', '&#038;&', $text); $text = str_replace('&&', '&#038;&', $text); $text = preg_replace('/&(?:$|([^#])(?!{1,8};))/', '&am
Forum: XSS Info
6 years ago
asilvermtzion
Haha, nice. Did you get any credit?
Forum: Full Disclosure
6 years ago
asilvermtzion
Yeh my bad, I should have given more info. Upon reflection, its using http://sourceforge.net/projects/kses which is a discontinued html purifier, some vulns are available but they have been patched in this implementation (style attributes disabled as well). So I guess this is just pissing in the wind as all angles appear to be covered, but I'm still trying to get a vector to work with it, just
Forum: XSS Info
6 years ago
asilvermtzion
htmlspecialchars replaces ampersands, therefore how can you use malformed entities, this sanitisation routine seems to filter out legit entities and if its not recognised it just reverts to regular filtering i.e. if i try an entity such as &#x5c2d it doesnt get through...(entity normalisation) that vector still uses the "javascript:" protocol which this code detects as an unwanted
Forum: XSS Info
6 years ago
asilvermtzion
Thanks lol, well the filtering is actually very good on the app im testing, they decode all dec/hex entities in the sanitisation routine e.g. ############################################################################### # This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't # do anything with other entities like &auml;, but we don't need them in the # U
Forum: XSS Info
6 years ago
asilvermtzion
any bright ideas on how to get past a regex filter on ":" (colon)? this makes any javascript:xxxx impossible.
Forum: XSS Info
6 years ago
asilvermtzion
Only works on boards with that plugin, which is quite a random one. Any other recent vulns in vbulletin? Im struggling to find anything
Forum: Full Disclosure
Pages: 12Next
Current Page: 1 of 2