Comments on: XSS is art http://www.thespanner.co.uk/2008/09/11/xss-is-art/ A tool for designers dealing with programmers dealing with designers... Thu, 11 Mar 2010 17:59:00 +0000 http://wordpress.org/?v=2.6.2 By: thornmaker http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1327 thornmaker Thu, 02 Oct 2008 00:22:31 +0000 http://www.thespanner.co.uk/?p=224#comment-1327 true, but i liked the string of dots for aesthetic reasons. i've looked around for some other built in functions that work like this but haven't found anything yet. you? true, but i liked the string of dots for aesthetic reasons. i’ve looked around for some other built in functions that work like this but haven’t found anything yet. you?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1326 Gareth Heyes Wed, 01 Oct 2008 07:07:21 +0000 http://www.thespanner.co.uk/?p=224#comment-1326 Nice! :) Can be shortened too 'xalert(0)x'.replace(/[^x]+/,eval) Nice! :)

Can be shortened too
‘xalert(0)x’.replace(/[^x]+/,eval)

]]> By: thornmaker http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1325 thornmaker Tue, 30 Sep 2008 23:10:31 +0000 http://www.thespanner.co.uk/?p=224#comment-1325 The opera trick you showed me earlier today also works in FF3 provided you use eval: 'xalert(0)x'.replace(/a......./,eval) The opera trick you showed me earlier today also works in FF3 provided you use eval:

‘xalert(0)x’.replace(/a……./,eval)

]]> By: Spletno gostovanje http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1320 Spletno gostovanje Wed, 24 Sep 2008 11:09:10 +0000 http://www.thespanner.co.uk/?p=224#comment-1320 XSS... it really is an art... I agree :) XSS… it really is an art…

I agree :)

]]> By: Erik http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1311 Erik Mon, 15 Sep 2008 14:09:13 +0000 http://www.thespanner.co.uk/?p=224#comment-1311 i think xss it's art too :xD i think xss it’s art too :xD

]]> By: DoctorDan http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1309 DoctorDan Fri, 12 Sep 2008 22:10:38 +0000 http://www.thespanner.co.uk/?p=224#comment-1309 Oh, you tricky, tricky man. XSS is art, and in this case is certainly beauty as well :P Oh, you tricky, tricky man.
XSS is art, and in this case is certainly beauty as well :P

]]> By: Gilzow http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1308 Gilzow Fri, 12 Sep 2008 20:59:29 +0000 http://www.thespanner.co.uk/?p=224#comment-1308 ok, NOW it makes more sense. I noticed that the smoke-screen was saying that it had detected an injection. Thanks for the clarification. *Very* interesting stuff that you are coming up with. Let's hope the REAL bad guys are two steps behind you. ok, NOW it makes more sense. I noticed that the smoke-screen was saying that it had detected an injection. Thanks for the clarification.

*Very* interesting stuff that you are coming up with. Let’s hope the REAL bad guys are two steps behind you.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1307 Gareth Heyes Fri, 12 Sep 2008 18:25:59 +0000 http://www.thespanner.co.uk/?p=224#comment-1307 Yeah that's because Mario already fixed it ;) Here's a demo of how it did work:- <a href="http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=Ly9IaXQgdGhlICJleGVjdXRlIG91dHB1dCBidXR0b24KbmFtZT0nYWxlcnQoMSknOwpkZWZhdWx0IHhtbCBuYW1lc3BhY2U9dG9vbGJhcixiPTEmJnRoaXMuYXRvYgpkZWZhdWx0IHhtbCBuYW1lc3BhY2U9dG9vbGJhcixlMj1iKCdaWFpoYkEnKQpkZWZhdWx0IHhtbCBuYW1lc3BhY2U9dG9vbGJhcixlPXRoaXNbdG9vbGJhcixlMl0KZGVmYXVsdCB4bWwgbmFtZXNwYWNlPXRvb2xiYXIseT0xJiZuYW1lCmRlZmF1bHQgeG1sIG5hbWVzcGFjZT10b29sYmFyCmRlZmF1bHQgeG1sIG5hbWVzcGFjZT1lKHkp" rel="nofollow">demo</a> Yeah that’s because Mario already fixed it ;)

Here’s a demo of how it did work:-
demo

]]> By: Gilzow http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1306 Gilzow Fri, 12 Sep 2008 17:01:18 +0000 http://www.thespanner.co.uk/?p=224#comment-1306 ok, i see now where name comes into play, but the link to the payload, in firefox, doesnt fire off the alert. So i'm still a bit confused... ok, i see now where name comes into play, but the link to the payload, in firefox, doesnt fire off the alert. So i’m still a bit confused…

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/09/11/xss-is-art/#comment-1305 Gareth Heyes Fri, 12 Sep 2008 15:41:34 +0000 http://www.thespanner.co.uk/?p=224#comment-1305 @Gilzow :) thanks I didn't include the actual payload until later which uses window.name. It can be passed from site to site so it's a good way of passing a XSS payload. Line 5 does nothing it is there to get round phpids centrifuge detection. Centrifuge detects vectors when they look like previous ones. The toolbar reference is window.toolbar in Firefox and is used to again bypass centrifuge, any global object/function can be called on one line like this. Look at comment 4 to see how window.name can be passed as a payload. @Gilzow

:) thanks

I didn’t include the actual payload until later which uses window.name. It can be passed from site to site so it’s a good way of passing a XSS payload.

Line 5 does nothing it is there to get round phpids centrifuge detection. Centrifuge detects vectors when they look like previous ones. The toolbar reference is window.toolbar in Firefox and is used to again bypass centrifuge, any global object/function can be called on one line like this.

Look at comment 4 to see how window.name can be passed as a payload.

]]>