Well it seems that Firefox 2.0.0.14 has provided the most interesting results with my protocol fuzzer. Char: 56320, link: jav�ascript: Char: 56321, link: jav�ascript: Char: 56322, link: jav�ascript: Char: 56323, link: jav�ascript: Char: 56324, link: jav�ascript: Char: 56325, link: jav�ascript: ,, ,, ,, ,, All the way to:- char: 57343, link: jav�ascript: and hex entities […]
Archives for the ‘xss’ Category
XSS tag fuzzer
Wednesday, 18 June 2008
It’s been a while since I’ve blogged but I’m pretty busy at the moment with my new baby and also moving jobs as I was made redundant. I thought I’d combine my work with my blogging as I’m working on some XSS vectors for IE8. During the process I built a simple tag fuzzer which […]
Firefox applet fun
Tuesday, 20 May 2008
I’ve been hacking the PHPIDS recently and I wanted a pure XSS vector not just script execution, I decided to experiment with the applet tag because it sneaks past the malicious tag detection. I thought to myself I wonder if it accepts the type attribute like the object tag does…. <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3N jcmlwdD4" type=text/html> That […]
Firefox javascript sandboxing
Friday, 22 February 2008
As a technical challenge and maybe in future to allow Hackvertor to execute javascript code from the user. I decided to create a javascript sandbox. It works by first running the code through a new Function constructor and tosource, the reason for this is that Firefox actually converts the code supplied e.g. ‘te\st’ becomes ‘test’ […]
Moz-binding XSS fun
Monday, 4 February 2008
CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like […]
Code morphing
Monday, 21 January 2008
I’ve been working on a small project with the eventual goal of producing random morphing javascript. It’s still early stages at the moment but I’d thought I’d release it now because then I might get some motivation to improve it. I plan to add this functionality into Hackvertor as well as Spambam in future. At […]
Hackvertor update
Thursday, 17 January 2008
Future plans I’ve done a big change in the Hackvertor code to pave the way for some new features. In future I plan to create a web service were we can create/share Hackvertor tags for free. This will enable custom versions of Hackvertor for a specific task, for example we could have a SQL injection […]
Valid Javascript variables
Sunday, 13 January 2008
I’ve put together a simple script which will use the Javascript parser to find a list of valid variables. This information is useful to know when testing XSS filters or malicious javascript detection. Using these unusual variables I’ve manged to slip Javascript passed some very clever filters including the PHPIDS and Noscript. Check it out […]
DOM for hackers
Wednesday, 9 January 2008
It’s amazing the stuff I’ve been finding recently, my browser has crashed more times than windoze. In this article I’ll introduce you to using the DOM for unexpected things and hacking it to your advantage. I’ve learned all this new stuff while hacking a vectors for the slackers XSS contest which is really fun. Contents […]
Self replicating source
Monday, 7 January 2008
I’ve been having a lot of fun with the sla.ckers XSS replication contest and I found a cool way to replicate source code of the html document which I haven’t seen anywhere before. Check it out:- alert(document.body.parentNode.innerHTML) This alerts the entire HTML document in Firefox (hopefully IE7 as well). Which is pretty cool 🙂 Here […]