Archives for the ‘Security’ Category

Java Serialization

In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called “object” which accepts a url to a serialized class file this allows us to load applets of our choosing provided they […]

Bypassing the XSS filter using function reassignment

The XSS filter introduced in IE8 is a really powerful defence against XSS. I tested the filter for a number of years and found various bypasses one of which I would like to share with you now. You can read more about the filter and its goal in the following blog post. Scope There have […]

Sandboxed jQuery

My new personal challenge was to get jQuery working correctly in a sandboxed environment this proved to be really tricky. The first problem I encountered was my fake DOM environment wasn’t returning the correct value for nodeType on the document element, this made jQuery assume another state and breaking selectors. I ensured the DOM environment […]

X-Domain scroll detection on IE using focus

This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It’s because IE fires the onfocus event of the iframe when the scroll occurs. This means using 1 network request we can discover if a site contains a particular id provided the […]

Epic fail IE

gaz: omg more epic fail in IE 😀 larry: huh? 😀 gaz: what is “A” in IE compat? larry: hm A? gaz: no larry: ? gaz: lol ? larry: NUL ? gaz: A –> ? A –> A larry: ah! out of bounds I get it gaz: what is this in IE compat: &#x41 larry: […]

new operator

I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This means that stuff like: new new new new new new function f(){return f} Is perfectly valid code. That made me […]

Decoding complex non-alphanumeric JavaScript

@fkadev Challenged me to decode some complex non-alpha. See here http://t.co/z7lWyIu5ka. Luckily the techniques I’ve used previously such as monitoring the Function constructor calls would work in a sandboxed environment. I will walk you through how I did it. Hackvertor runs on a older sandbox I created called JSReg which runs much slower than Mental […]

Hacking Firefox

I was playing with Firefox to see what crashes it and thought SVG might be a good place to look. I tried combinations of all elements nested together and came across problems with script. <script>str='';for(i=0;i<0xefff;i++){str+='<script>AAAAAA';};document.write('<svg>'+str+'</svg>');</script> This causes a complete crash in Firefox but is it only a DoS? It appears so. I booted up windbg…stack […]

DOM Clobbering

The DOM is a mess. In an effort to support legacy quick short cuts such as “form.name” etc the browsers have created a Frankenstein monster. This is well known of course but I just wonder how far the rabbit hole goes. I’m gonna share what I discovered over the years. HTML Collections First up is […]

Bypassing XSS Auditor

I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection […]