In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called “object” which accepts a url to a serialized class file this allows us to load applets of our choosing provided they […]
Archives for the ‘Security’ Category
Bypassing the XSS filter using function reassignment
Monday, 7 April 2014
The XSS filter introduced in IE8 is a really powerful defence against XSS. I tested the filter for a number of years and found various bypasses one of which I would like to share with you now. You can read more about the filter and its goal in the following blog post. Scope There have […]
Sandboxed jQuery
Wednesday, 12 February 2014
My new personal challenge was to get jQuery working correctly in a sandboxed environment this proved to be really tricky. The first problem I encountered was my fake DOM environment wasn’t returning the correct value for nodeType on the document element, this made jQuery assume another state and breaking selectors. I ensured the DOM environment […]
X-Domain scroll detection on IE using focus
Wednesday, 11 December 2013
This is a pretty cool bug. I use the focus event on an iframe to detect if the iframe has been scrolled x-domain. It’s because IE fires the onfocus event of the iframe when the scroll occurs. This means using 1 network request we can discover if a site contains a particular id provided the […]
Epic fail IE
Friday, 8 November 2013
gaz: omg more epic fail in IE 😀 larry: huh? 😀 gaz: what is “A” in IE compat? larry: hm A? gaz: no larry: ? gaz: lol ? larry: NUL ? gaz: A –> ? A –> A larry: ah! out of bounds I get it gaz: what is this in IE compat: A larry: […]
new operator
Wednesday, 23 October 2013
I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This means that stuff like: new new new new new new function f(){return f} Is perfectly valid code. That made me […]
Decoding complex non-alphanumeric JavaScript
Wednesday, 18 September 2013
@fkadev Challenged me to decode some complex non-alpha. See here http://t.co/z7lWyIu5ka. Luckily the techniques I’ve used previously such as monitoring the Function constructor calls would work in a sandboxed environment. I will walk you through how I did it. Hackvertor runs on a older sandbox I created called JSReg which runs much slower than Mental […]
Hacking Firefox
Friday, 26 July 2013
I was playing with Firefox to see what crashes it and thought SVG might be a good place to look. I tried combinations of all elements nested together and came across problems with script. <script>str='';for(i=0;i<0xefff;i++){str+='<script>AAAAAA';};document.write('<svg>'+str+'</svg>');</script> This causes a complete crash in Firefox but is it only a DoS? It appears so. I booted up windbg…stack […]
DOM Clobbering
Thursday, 16 May 2013
The DOM is a mess. In an effort to support legacy quick short cuts such as “form.name” etc the browsers have created a Frankenstein monster. This is well known of course but I just wonder how far the rabbit hole goes. I’m gonna share what I discovered over the years. HTML Collections First up is […]
Bypassing XSS Auditor
Tuesday, 19 February 2013
I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection […]