I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it’s placed. For example:- “xss” ‘xss’ <tag alt=”xss”> As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had […]
Archives for the ‘xss’ Category
Regular expression sandboxing
Wednesday, 5 May 2010
Birth of the regex sandbox I decided today to do a proper blog post to explain my reasons for creating regex sandboxes. I don’t often write a lot of words on this blog partly because I’m not very good a making long meaningful sentences and partly because I think the point can often be made […]
DOM CSS fight at the O.K. Corral
Tuesday, 27 April 2010
I’ve been having a bit of a fight with DOM CSS. Single css rules in various browsers are carried over to two or more rules in some instances depending which characters you use. This was playing havoc on my HTMLReg sandbox, I whitelist allowed rules so I can’t allow rules to be injected. The IE […]
Facebook sandbox escape
Friday, 29 January 2010
My friend mario (he who never blogs) found XSS in facebook a couple of times. This tempted me to look at their sandbox, I didn’t register for an account but just tried breaking their FBML console. They have their own FBML (Facebook markup language) which is just a basic HTML/CSS and a separate Javascript sandbox […]
HTML5 new XSS vectors
Sunday, 6 December 2009
So I posted some new XSS vectors on twitter and I thought I’d share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now π We have a brand new way of auto executing XSS. Normally when you find a XSS hole within a input element that has […]
Twitter misidentifying context
Monday, 23 November 2009
This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly. I reported this […]
Bypassing CSP for fun, no profit
Monday, 23 November 2009
I had fun at Confidence 2.0 CON, I’m gonna blog about the stuff I was holding back now π So I figured how to bypass CSP with UTF-7 and JSON. Basically any site with a JSON feed that can be manipulated by an attacker (reflective or persistent) can be injected with even in a correctly […]
CSP – Mozilla content security policy
Tuesday, 23 June 2009
This is my cup of tea, a whole new way to prevent XSS and related attacks. I’ve been looking at the specification and I like the core of the policy preventing external scripts, eval etc. But reading it I started to think of ways around it because it’s fun π Meta tag The meta tag […]
New PHPIDS vector
Monday, 1 June 2009
No new PHPIDS vectors for a while? So I thought I’d write a new one as I had 5 minutes spare while drinking my coffee. I used a new technique (as far as I’m aware) to make things easier π A very old feature in IE is to allow events to be declared as vbscript […]
Opera XSS vectors
Friday, 8 May 2009
It turns out I was right. Originally I thought the protocols reported by my javascript fuzzer were false positives but as like lots of my code it seems to know better than me π I tested the context of the vectors in a normal HTML link which didn’t work correctly. But I was messing with […]