I like this event, it’s pretty cool. The reason why it’s interesting from a XSS perspective is that it is executed automatically without user interaction. This is rare in the XSS playground, usually you have to use onerror, onload or onfocus events and they only work in certain circumstances. I’d better mention that the event […]

I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make […]

I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I’m sure there are others too. The vectors are quite cool because they’re executed automatically within a onload onerror event. (Originally […]

I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods. So if you […]

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters 🙂 Here is my vector:- /Please submit the string\ to help us make the \ PHPIDS better./,y=(‘aler\ t’),x=this,x=x[y] x(‘I cant let you have […]

The basic attack Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. […]

I’m still heavily researching Javascript in search of XSS vectors and interesting syntax. I’ve found loads of cool stuff recently and while looking through the ECMA spec. I came across the Infinity object which is a global and a number, of course I was already aware of it but I thought what kind of interesting […]

I had a bet with a friend of mine David Lindsey aka Thornmaker. Basically we said the first one to get a XSS vector on phpids buys a beer at Bluehat 🙂 I haven’t had much time to do this because I’ve been pretty busy but over the last few days in my spare time […]

If you’ve not been following my sla.ckers thread on unusual javascript then your missing out. My idea was to gather interesting, weird and wonderful javascript tricks which are useful for filter evasion and coding. I investigated E4X quite a lot for this purpose and found a few cool things that I’ll share with you. Using […]

Yes a XSS post again. I’m sorry 🙂 I’ve been having fun testing some really good filters (some of the best in the business IMO). I found a vector that isn’t on rsnake’s cheat sheet. Check it out:- Only works on IE <isindex type=image src=1 onerror=alert(1)> Because IE treats the isindex element (a very old […]