The basic attack
Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For [...]
I’ve updated my protocol fuzzer with charset support (Thanks Chris Weber for the suggestion). I tried the various browsers with the fuzzer so far nothing in IE8 yet but I downloaded the latest Opera and found these
Update…
Opps I made a mistake, my fuzzer reported false positives because Opera reported the links correctly [...]
I (wrongly) assumed that Javascript frame breakers were ineffective when using iframes on IE when using the security=restricted attribute. As it turns out cookies are not allowed by default when using the attribute because the security settings are applied from IE restricted zone. My recommendation is to use frame breakers on administration pages and other [...]
CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like [...]
I’ve continued my experiments with loops in CSS and tried to find a method to allow counter-increment through a loop. The technique uses a random seed to create a unique url each time (obviously the seed can be improved), it then uses meta refreshes to create the required history to increment the value. This technique [...]
Hacking CSS is a great challenge and can lead to interesting results, I’ve reignited my interest thanks to sirdarckcat and Thornmaker who have done some fantastic work. I wanted a way to do animation and loops in pure CSS and I think it’s sorta possible using meta refresh. I know meta refresh is slightly cheating [...]
Thornmaker has improved my CSS logic script which is much neater and requires less styles, good work Sirdarckcat has also created multiplication which is amazing stuff, so I had a bit of spare time and I decided to see if it was possible to create toggles in CSS with a visual appearance of a [...]
Inspired by the great work of Sirdarckcat on CSK2, I’ve decided to produce a POC which performs basic logic in pure CSS. The example simply adds the numbers together depending on which checkbox you check. My next experiment will be with loops and then we can start creating some really cool games in CSS [...]
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
Credits update
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one [...]
I thought I’d continue the theme of experimenting with XSS and trying different things, I haven’t seen this written about anywhere so here goes. The idea is using CSS as a XSS payload, this can be useful when filters allow some things but make it difficult to construct an attack.
I’ve decided to call it [...]