I tweeted this a while ago but Twitter sucks when it comes to finding anything and I thought it was good enough for a blog post. Way back in Safari 3.0 and Internet Explorer 5.5 and the old Opera you could mess with JavaScript urls and the base tag. Me, Mario and Brainpillow documented this […]
Archives for the ‘Security’ Category
New IE mutation vector
Wednesday, 17 June 2015
I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course 🙂 The filter bypass worked like this: <img ="><script>alert(1)</script>"> The filter incorrectly assumed it was still […]
How I smashed MentalJS
Sunday, 3 May 2015
I’m proud to introduce a guest blogger on The Spanner. Jann Horn is a IT Security student in fourth semester and works for Cure53. He has found security issues in a bunch of open source projects, including OpenSSH(CVE-2014-2532), Chromium(CVE-2014-1726,CVE-2015-1247), Android(CVE-2014-7911) and Angular. He’s also a member of the university CTF team FluxFingers. Jann has been […]
MentalJS DOM bypass
Friday, 6 March 2015
Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:- _=document x =_.createElement(‘script’); s =_.createElement(‘style’) s.innerHTML = ‘*/alert(location)//’ t=_.createElement(‘b’) t.textContent = ‘/*’ x.insertBefore(t.firstChild, null); x.insertBefore(s, null) _.body.appendChild(x) x […]
Another XSS auditor bypass
Thursday, 19 February 2015
This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could […]
XSS Auditor bypass
Tuesday, 10 February 2015
XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea […]
Bypassing the IE XSS filter
Wednesday, 7 January 2015
Mario noticed that the new version of the IE filter blocks anchors in attempt to prevent the same origin bypass where you double encode the vector and post a link to itself. I had to take a look and see if I could break it and…of course I did. The regex is very generic:- <a.*?hr{e}f […]
Unbreakable filter
Friday, 24 October 2014
I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so […]
MentalJS bypasses
Tuesday, 24 June 2014
I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows: for(var i i/’/+alert(location);0)break//’) Basically my parser was inserting a semi colon in the wrong place causing a […]
mXSS
Tuesday, 6 May 2014
Mutation XSS was coined by me and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML. A good example of mXSS was discovered by Mario where the listing element mutated its contents to […]