Archives for the ‘xss’ Category

HTML scriptless attacks

Following up on @lcamtuf’s post about a “post xss” world. I thought I’d chip in with some vectors he missed. The textarea consumption technique he mentioned isn’t new and wasn’t invented by “Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson.” it was openly discussed on sla.ckers for many years (as usual) but anyway […]

staticHTML property

The static HTML property allows you to get/set filtered HTML directly on the DOM object you’re using. The browser vendors don’t support this property yet, IE has a toStaticHTML function and Firefox via the Noscript plugin emulates toStaticHTML but doesn’t allow you to set/get directly, so I decided to create a JavaScript version that can […]

Protecting against XSS

The problem as I see it Where to start? Let me start by telling you that most of the books you read are wrong. The code samples you copy of the internet to do a specific task are wrong (the wrong way to handle a GET request), the function you copied from that work colleague […]

Blog fight round two

Thanks Pádraic So I hope you’ve enjoyed our blog fight between me and Pádraic Brady. I sense a lack of a sense if humour in his last post 🙁 his blanket claims that regex html validation sucks were obviously unjustified. Anyway I was waiting for a cool XSS hole in HTMLReg from him, it never […]

Regex HTML Sanitisation can work

Dear Pádraic Brady, I have not received any emails with any exploits, I am disappointed I want my HTML regex sanitiser to be broken please. Apparently you can find 2-5 vulnerabilities per solution so please execute XSS in my regex. Thanks! I’ll be very impressed if you do and I will promise to dedicate a […]

XSS Rays extension

You might remember my XSS Rays bookmarklet I developed a while ago, I got nagged by a few of you to fix some things in it. Well it was crappy because it was bookmarklet based so I didn’t bother. Instead I decided to create a Chrome extension and revamp the features. So here it is […]

Late meta Christmas present

Something like two years ago I think, I discovered IE had a additional HTML attribute called “CHARSET” quite convenient as it’s defined in HTML5. This enabled me to bypass a few things using UTF-7. The MSDN documentation was updated to account for this hidden attribute which is pretty cool, so I found something hidden which […]

Breaking HTML parsers for fun

I was experimenting with some HTML vectors to break the various HTML parsers in the browsers, I wanted to continue till I found a cool one for Firefox because I like to bully the memory hogging browser as I use it a lot. I found some weird rendering in Firefox, Chrome and Opera. It started […]

String replace JavaScript bad design

After using JavaScript for a while one of the worst parts I found was the String.replace function. When I realized it’s behaviour I thought to myself someone is going to use this wrong. The function itself is excellent, I use it all the time as you could probably tell with my code. It is far […]

XSS Zones

One of the impossible problems of the web is how do you protect against site that has a persistent XSS hole yet requires JavaScript to function. I thought about this for a while and worked out you could create a XSS zone where you expect user input. Declaring a zone is tricky because if you […]