A user of Hackvertor contacted me and suggested a mailing list to collect ideas and feature requests. I must admit that because of time I haven’t had the opportunity to ask users they thought. I guess I also assumed that there wouldn’t be many people using the tool but it turns out there are one [...]
Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide examples through Hackvertor (which now supports code morphing).
In order for a pattern to [...]
I thought about adding basic bookmarklets to Hackvertor but then I had an idea..wouldn’t it be cool if you could create your own This simple yet powerful feature will allow you to perform a Hackvertor conversion on any text from any web page. This means you can convert a selection of text to hex [...]
Simplicity is always the best policy
I’ve finally and completely (I hope) fixed nested tags. This was an absolute nightmare to solve because the engine kept matching the wrong sets of tags. For example if you placed the following tags in Hackvertor:-
<hex_ent><hex_ent>test</hex_ent></hex_ent>
Hackvertor wouldn’t know which one it should convert first, the way to actually solve the [...]
I’ve been reading a lot about unicode over the past few weeks and I decided to add full/half conversion into Hackvertor as a learning exercise. It’s useful for testing IDS systems because certain web servers automatically convert the characters into the normal ASCII range.
Check it out here:-
Unicode demo
You can even assign a custom prefix to [...]
Future plans
I’ve done a big change in the Hackvertor code to pave the way for some new features. In future I plan to create a web service were we can create/share Hackvertor tags for free. This will enable custom versions of Hackvertor for a specific task, for example we could have a SQL injection version, [...]
I’ve updated the design and layout of Hackvertor along with some new tags and features. In the next few weeks I plan to tidy the code up and reduce a lot of functions. If you have any feature suggestions then please leave a comment, SQL injection tags are planned for the next release along with [...]
I’ve created a separate tool for HTML/JS fuzzing, I decided to do this because Hackvertor does all the hard work of conversion and I can simply extend the functionality without writing much code. The tool is already very powerful and lets you traverse unicode characters and perform whatever conversions you require and in any position [...]
New update
I’ve updated Hackvertor again, which allows HMAC hashing, SHA2 hashing support, new line removal and javascript evaluation within tags. A good example of the new features would be the following input:-
<@sha2><@js2str>str=’hello’;for(i=0;i<10;i++) str += ‘o’<@/js2str><@/sha2>
The above creates the string “hellooooooooooo” in javascript and hashes the result with sha2.
I’ve started work on a formatcode tag which [...]
I see my pupil that you are now ready to learn the ways of the samourai sword. The Shaolin Warrior’s IDS tiger style is strong but it is no match for the Hackvertor hanzo sword. Observe:-
<@hex>j<@/hex><@dec>a<@/dec>vascrip<@hex>t<@/hex>
<@dec>:<@/dec>ale<@hex>rt(/XSS PUNCH!/)<@/hex>
Which produces a devastating blow:-
javascript:alert(/X
SS PUNCH!/)
I hope you have enjoyed this lesson young one please continue in the ways of [...]