onformchange="document.innerHTML=location.hash" See also http://www.thespanner.co.uk/2012/05/01/xss-technique-without-parentheses/
Forum: XSS Info

For posterity, none of the above techniques appear to work anymore but this works in Opera: <input type=hidden onformchange=alert(2)/> Courtesy of http://html5sec.org/#23
Forum: XSS Info

Take a closer look at shazzer - most of the vectors have a single exotic character. By chaining together a few different ones you could create something pretty interesting. https://twitter.com/XSSVector has some good tricks too.
Forum: XSS Info

First of all to gain a solid understanding of XSS I recommend http://lcamtuf.coredump.cx/tangled/ . I think that will help more than disconnected examples. But, since you asked, I'll try to answer from memory: Case #01: Look at the first page of the thread; this is a bypass of Gareth's JSReg sandbox. http://sla.ckers.org/forum/read.php?2,29090,page=1 Case #02 and #05 and #06: These all re
Forum: XSS Info

Not as far as I know, but don't let that stop you trying.
Forum: SQL and Code Injection

Just find XSS on a subdomain, then inject document.cookie='cookiename=xsspayload; domain=topdomain.com'; https://www.youtube.com/watch?v=hB2lPJldYQI
Forum: XSS Info

Depends. If you get xss in any subdomain you can inject cookies. Also, sometimes you get code that places user input directly into cookies, so you can inject new cookies using ; or , A certain hackxor level relies on this :)
Forum: XSS Info

Filtered as in removed, although in this case it doesn't make any difference. \ isn't an escape character in HTML attributes.
Forum: XSS Info

Opera only: Location: data:text/html,<svg/onload=alert(document.domain)> Have you tried injecting http headers?
Forum: XSS Info

<input value=""/> The input is filtered for " and nothing else. < and > are perfectly allowed. I feel that this must be exploitable in some browsers but I don't see how. Any ideas?
Forum: XSS Info

When I encountered it ~1 year ago this worked: http://nomoreroot.blogspot.co.uk/2008/08/ie8-xss-filter.html
Forum: Obfuscation

Looks like the code uses gpg already, so encryption-wise it might already be mostly secure.
Forum: Privacy

Just rip out their encryption and rebuild it using a library you trust like http://php.net/manual/en/ref.gnupg.php
Forum: Privacy

I'm not sure what you're asking. What do you mean by valid?
Forum: SQL and Code Injection

I don't think so.
Forum: XSS Info

There isn't much you can do in this situation. You can redirect the page, and if the parent uses X-Frame-Options: SAMEORIGIN then you bypass that and launch UI-redressing attacks; see http://www.skeletonscribe.net/2012/06/x-frame-options-sameorigin-warning.html
Forum: XSS Info

iirc this kind of thing is not exploitable in firefox&chrome (and even the latest IE), since they respect the Content-Type header.
Forum: XSS Info

If you're young, the 'good old days' are before your time by definition.
Forum: News and Links

What companies do you use to host your pocs&tools? Are there any in particular that are both secure and unlikely to throw a fit if you host a proof of concept?
Forum: OMG Ponies

Interesting. A couple of initial questions; how is the password generated; does every user get a unique, static password generated when they install it? Also, what does this do that Content Security Policy doesn't?
Forum: News and Links

I have the following injection: <meta name="" content=""> The only characters accepted are a-Z 0-9 - and _ Any ideas? I can't use http-equiv and <meta name="author" input="albino"> just isn't severe enough for my taste. Viewport looks interesting but I can't use =.
Forum: XSS Info

Seems like it's related to security zones; the poc only works if it's in the trusted/local security zone. Ah well.
Forum: XSS Info

I have a page that loads a third party stylesheet and alert()'s some info from it. For some reason it only works if I open it locally; hosting the page anywhere breaks it. Here's the code: <html> <head> <link rel="stylesheet" href="https://SNIP" type="text/css"> </head> <body> <script> alert(document.body.currentStyle.f
Forum: XSS Info

I'd hazard a guess that most of the smaller email providers would, probably the ones with tight mailbox size limits. You could ask them to confirm, as long as you phrase it right. If you want to pay for hosting you might as well get a VPS and install the email server yourself; that way you can make sure it's relatively secure. However if you take this approach you'll have to worry about uptime and
Forum: Privacy

You don't need to run your own email server to achieve that. Just use a provider that provides delete-is-delete functionality (eg not gmail) and an email client that stores the messages locally. I use this approach myself, just remember to make backups. Make sure you're clear on who you're worried about and what capabilities they have. Someone burning a 0day to hack an email server is on a dif
Forum: Privacy

Could you inject alert(1)" style="position:absolute;top:0px;left:0px;right:0px;bottom:0px to make a link that executes js on a click and covers the entire screen?
Forum: XSS Info

Which inputs are safe depends on the context. It sounds like you're trying to make a blacklist which is an innately treacherous approach. The safer/easier option is to use a whitelist: ie allow and remove/carefully encode everything else. Also see: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Forum: XSS Info

Where I'm at, computer science is basically maths-lite. So, to play the game just get a degree in maths and learn coding/security on the side.
Forum: OMG Ponies

Wow that's a nice setup id. Thanks for sharing. Do you have to use distinct license keys on the 2 win7 VMs? As for openBSD, Getting internet access and kde working was simple enough, then I spent a pitiful ~16 hours trying to get it to cooperate with my graphics card before giving up. I plan to use it as a server OS in the future, though.
Forum: OMG Ponies

Try it with and without url-encoding the ". (eg try in firefox and IE). If neither of those work, I don't think it is exploitable; see http://shazzer.co.uk/database/All/Characters-that-close-a-quote?
Forum: XSS Info