Hackvertor API

Monday, 15 March 2010

Over the weekend Stefano Di Paola broke my JSReg sandbox with some awesome vectors in particular the Opera one. He took my challenge after I laid down the gauntlet on the web app sec list. If you have some sandbox you want breaking, some Flash you need testing or general pen test work you should hire this guy he is awesome.

I patched JSReg by removing the prototype, callee, caller from the allowed properties, hopefully this will stop future attacks using this method until I can work out a way to use these safely. Then I got a bunch of great suggestions from Thornmaker and SDC, that made so much sense I reworked the recent Hackvertor code to modify the Object protoype. So now Hackvertor tags can call each other easily using this method for example:-

'abc'.HV('reverse').HV('base64',Array('encode'))

The API is extended further where you can include data and share it across tags, this is super useful when creating a standard list of XSS vectors, Unicode characters, shellcode whatever you like! First the example shows how a tag can be used to return array data. The second example shows how you can use this data within tags.

Data sample
Using the data

What’s great about this is that the data can also now be used externally, you can embed the sandbox from an external site and use your data. Of course using untrusted tags poses a risk that I’ll need to account for but if you only use your own tags it should be pretty safe to use them for fuzzers or other data.

Here is how to embed my version of Hackvertor tags:-

<script src="http://hackvertor.co.uk/export?id=1"></script>
<script type="text/javascript">
window.onload = function() {
parser = JSReg.create();
try {										
		parser.extendObject('$HV$',(function(tags) { 
				return function(tagName, args) {							
					if(!tags.hasOwnProperty(tagName)) {
						return null;
					}																			

																								
					return tags[tagName].execTag(this,function(output){ return output; },args);							
				   }
			})(window.Hackvertor.tags)
		);
		//EXECUTE YOUR OWN CODE HERE
		parser.eval("alert('abc'.HV('reverse'))");																																					
	} 
	catch (e) {	
		alert(e);
	}			
}			
  </script>

At the moment Hackvertor doesn’t have all the tags the previous one had yet but why not help out and build a security tool together in the first coding social network.

The entry 'Hackvertor API' was posted on March 15th, 2010 at 11:36 pm and last modified on March 16th, 2010 at 10:02 am, and is filed under hackvertor, javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Hackvertor API”

  1. thornmaker writes:
    No. 1 — March 16th, 2010 at 6:52 pm

    so how about adding ‘abc’.HV(‘reverse’).HV(‘base64’,Array(‘encode’))
    syntax to the main screen too? tags are nice, but this would be faster for people that know what their doing 😀

  2. Gareth Heyes writes:
    No. 2 — March 17th, 2010 at 10:54 am

    I’ve put a help screen in the menu now but any suggestions to make it easier would be great. I might do a tag library feature where you can point and click tags when developing a new tag maybe I’ll do it over the weekend 🙂

«
»