Javascript blog with messed up syntax inside
Wednesday, 23 February 2011
So I came across a cool post to hack the new HTML5 parser that Opera is developing, it is awesome that a vendor says hey c’mon look what we’ve done, please try and break our stuff. I couldn’t resist having a go as they asked so nicely and within minutes….
<a href="javAascript:alert(1)">test1</a>
<a href="javaascript:alert(1)">test2</a>
That’s not how you spell JavaScript 
Opera dudes pro tip:-
JavaScript protocol fuzzer
Wednesday, 26 January 2011
I’ve had requests to create a Hackvertor API to allow you to embed it on your own sites, so I’ve created one. It uses postMessage to communicate and you can set the width, height, top, left and callback for your output. The code looks like this:-
Hackvertor.write({top:'0px',left:'300px',width:'700px',height:'400px', callback:function(str) { document.getElementById('output').value=str; }});
This will write a iframe pointing to the Hackvertor export and the callback will retrieve the output. I’ve done a complete sample to show you how it works:-
Hackvertor export example
The API contains a couple of functions:-
Hackvertor.show() – Shows the Hackvertor window
Hackvertor.hide() – Hides the Hackvertor window
Hackvertor.send(str) – Sends some input to Hackvertor
It still doesn’t work on Chrome correctly yet as there is a minor JSReg issue I need to sort out, I’ll fix that as soon as I’ve got time
Friday, 21 January 2011
You might remember my XSS Rays bookmarklet I developed a while ago, I got nagged by a few of you to fix some things in it. Well it was crappy because it was bookmarklet based so I didn’t bother. Instead I decided to create a Chrome extension and revamp the features. So here it is the awesome XSS Rays!
Performs a scan of all forms and links and even crawls each one to a depth you specify (this will open a lot of tabs while it does this). At the moment it only supports GET requests and path injection. You press the extract links button, then select the links you want to inject with the multi-context XSS vector, then click run XSS injector and it will attempt to inject all the links and give you the urls. You can also download them and save the file.
This is super awesome, it will attempt to blackbox reverse a XSS filter. Again only GET is supported at the minute (mainly for speed and the fact that most XSS attacks support GET). You choose the site you want to scan by visiting it, a quick shortcut is to already have the param filled in, this way XSS Rays automatically enters it for you. To see how it works:-
1. Visit Mario’s challenge
2. Open XSS Rays and click reverse
3. Click reverse filter and watch the magic happen.
It will give you a report of which characters are allowed, a estimated length guess (pretty accurate unless a site removes a request if it exceeds the amount), I estimate to save http requests, which tags are allowed and which attributes and finally the characters it converts.
Ever wanted to regex search the dom and event handlers? Well I did that but on steroids. You can enter your regex string to search, the highlight regex which will highlight the results like for example if I wanted to see where in the search results “location” appeared. It will search inline and external scripts and also give you the ability to click the file and edit it in real time.
Will highlight events, charsets etc of the current source code of the page. Useful for quickly viewing the source and events. I have to improve this section and display headers etc.
Here you can traverse user define objects, this was tricky because in chrome hasOwnProperty is broken and isolated worlds in chrome extensions make it difficult to edit the current window object. You click the object on the left and traverse it if there are any objects inside, then you can click any functions defined inside a object and it will be de-obfuscated and allow you to edit in real time.
How on earth do you inspect user defined functions on window? Think about it, if they are not assigned to window like window.x=function(){} then they will not be available inside for..in loops. That didn’t stop me I grabbed the source code for each script, scanned for functions defined inside the script, gathered a list of the names, then sent the name to the new function constructor like so:-
var funcName = funcs[i];
var val = '';
try {
var val = new Function("return "+funcName)();
if(/^function\s*\(\)\s*\{\s*\[native code\]\s*\}/.test(val.toString())) {
val = false;
}
} catch(e){}
So the new function returns the value if it global and I do one last check to make sure it isn’t native, like for example if there is a function called close.
Inject forms does exactly what it says on the tin, it will loops through all the forms on the page and inject a multi-context XSS vector.
Edit forms is cool because it allows you to alter a sites forms without altering their type, lets say you have a checkbox. The elements are linked together and you can alter the value, if the site logic expects a checkbox then it still works.
Will extract all forms and fields on the page and return a url for each.
Here you give it a url and param, then some input, it will then inject your input onto the page and scan the DOM for the results showing your the output. This is useful for creating a interface for testing a client side filtering system.
Friday, 21 January 2011
RFC Editor
USC/ISI
Jan 2011
Status of This Memo
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Table of contents
1. Overview
2. Jump
3. Die
1. Overview
This memo contains a snapshot of the state of jumping off the bridge protocols used in the Internet, as determined by the Internet Engineering Task Force (IETF). It is a 21 January 2011 snapshot of the current official protocol standards list and the Best Current Practice list, which is updated daily and is available from the RFC Editor Web site.
2. Jump
All vendors must now jump off a bridge. The bridge height must be a least 746 ft, a vendor MUST NOT use any type of equipment to prevent certain death. Whilst in the motion of certain death I suggest the following phrase “Arrrrrgggghhh I wish I hadn’t followed this stupid specif…SPLAT.”
3. Die *
You are now dead and have successfully followed the specification.
* This specification is a joke, I am not actually responsible for any Opera developers actually following this specification.
Friday, 17 December 2010
Something like two years ago I think, I discovered IE had a additional HTML attribute called “CHARSET” quite convenient as it’s defined in HTML5. This enabled me to bypass a few things using UTF-7. The MSDN documentation was updated to account for this hidden attribute which is pretty cool, so I found something hidden which actually was pretty useful and saved development time because it was already there! See Devs sometimes we are useful As usual I discovered it by manual testing and checking mshtml.dll in IDA Pro (demo cause I’m cheap), it looks like this:-
<meta charset="utf-7" />
Anyway there is your late crappy xmas present sorry it was late.
Thursday, 25 November 2010
I was experimenting with some HTML vectors to break the various HTML parsers in the browsers, I wanted to continue till I found a cool one for Firefox because I like to bully the memory hogging browser as I use it a lot. I found some weird rendering in Firefox, Chrome and Opera. It started off with cdata nodes and different behaviour in IE and Firefox. Firefox didn’t execute my vector but IE did. This was interesting because FF was rendering the cdata inside the attribute.
Even as I write this blog post I find more stuff obviously I can’t waste a lot of time on this because the parser is soooo bad there are literally hundreds of possibilities. Anyway I better describe my vectors. So back to the cdata stuff the original vector looked like this:-
<script <![CDATA[>///]]>
alert(1)</script>
I thought (wrongly as you’ll see later) that Firefox was parsing the cdata section and removing it’s contents like a HTML comment as the vector didn’t execute. Then I started experimenting, it got interesting
<img <iframe ="1" onerror="alert(1)">
<img <iframe/="1" onerror="alert(1)">
So as we see here the iframe is rendered inside the img tag, you might think so what? But adding the pieces of the puzzle together gives you a different perspective. Combining the knowledge I gained from the cdata rendering, the next vector looked like this.
<![CDATA[<img src="1]]><iframe>">]]>
The iframe is rendered inside a fake attribute as the cdata is rending it as text. Cool so that’s pretty nice but still a bit obvious. Remember above how I said I thought FF was rendering the cdata? Well now onto the good stuff. It turns out FF is a crazy cat when it comes to cdata. We can render cdata without the traditional markup required for it, this is bad because we can create vectors that break out of attributes.
<![
>
<img src="]><script>alert(1)</script>">
Argh, Firefox renders the cdata tag even though it only begins with ![, the closing ">" is now ignored and only closes when the ]> is encountered.
Weird stuff but still more, I checked my original vector again in Firefox as I was puzzled with the crazy results, then I noticed it had JavaScript syntax errors! I was like WTF. At first I thought there wouldn’t be a way to execute anything because the syntax required was <! which wasn’t valid js to begin a line. Then I modified my vector to include E4X, bingo!
<script<{alert(1)}/></script>
*Update*
This vector was also discovered by Mario (http://heideri.ch/jso/?%3Cscript%3C)
Yes that executes 
it appears that FF doesn’t require a closing “>” to execute script. The e4x node is created as “<undefined />” as the curles execute js code and return the results (alert returns undefined). I wasn’t happy I wanted more ways to execute code, what about e4x processing instructions? That way we can execute JavaScript that appears to start with / but is in fact part of a expression which divides the processing instruction by our function call.
<script<?wtf?>/alert(1)</script>
Finally I thought to myself what about without e4x? Hmmm combine a html comment inside the script attributes which will become a one line js comment (crappy legacy stuff) then I can execute code with a non-closing script tag and a open html comment!
<script<!--
alert(1)</script>
*Bonus Firefox vector*
<!--<img alt=">1" title="<img src=1 onerror='alert(/love you ff/)'>">
Sunday, 31 October 2010
I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work however something happened that I wasn’t expecting, Soroush Dalili solved the challenge by breaking the sandbox instead! Not just once may I add but twice. This was really awesome on a number of levels and so I awarded him 2000 HV points. I was impressed.
;
b=1/alert('Soroush Dalili Bypass! \n'+window.document.location);alert(window.parent.execTag())
//
So here Soroush cleverly exploits two errors in JSReg, first is the failure to strip the single line comment which then fools the regex rule into thinking that the code is a regex object and not function calls. The patch for this is displayed here I change the regex not to work in multi-line mode which successfully removes the single line comment. It isn’t an ideal fix as the regex rule still shouldn’t have matched it as a regex object but it will work in the short term until I revise the regex code.
b='x='+String([eval])+';window.parent.execTag();'
y=eval([b]);
Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox. The fix for this one was to check specifically for a function object or rewrite the string.
I challenged many security researchers to break this sandbox and only a few have succeeded, I admire their skill and dedication. I would like to thank Soroush Dalili for taking the time to break JSReg and show some obvious excellent js sandbox skills.
Thursday, 28 October 2010
I woke up yesterday morning and had a sudden flash of inspiration to stop all social network worms. I dunno why I wasn’t even researching them, I’ve no idea how my mind works it’s funny like that. Anyway sometimes I have bad ideas and sometimes they’re good. I like to discuss them all because that’s what an idea is, something to discuss.
So the concept works like this, you have a social network crawler client/server side that acts as a normal user it could even masquerade as an existing friend. This crawler continuously goes to different accounts with the goal of being exploited. Once the crawler is infected with some XSS code, it proceeds to follow whatever method the attacker uses to propagate the code but instead of posting an update, adding a friend or updating it’s profile it logs the results and freezes the originating account.
The special crawler account must look and act like a normal user but normal user functionality is replaced by logging, think of it as a robot administrator I like to call them Terminators. Depending on the type of social network you could either prevent all new updates from happening until the flaw is closed or simply crawl the history of that user until all have been enumerated and repeat.
Crawling intervals could be changed depending on your requirements and you could specifically target accounts to crawl for example “user a” is posting 3 updates every minute or “user b” friend count is increasing every x minutes etc you get the idea.
Once the terminator encounters an infected account it is effectively mission accomplished as the site has a XSS worm but importantly you have some vital information, you know which page the infection occurred and the account is originated from and the method used to infect. I’d disable the site functionality here and place a maintenance message or something. You could continue crawling and try and find more infected accounts but you are always fighting against the time your crawler(s) takes to enumerate all accounts.
You may have noticed that I said “masquerade as an existing friend” this is because I already thought of a way to bypass detection by using worm code to detect if the crawler is a valid account or not. You need to make sure that these crawler accounts appear to be real in every way.
To create a crawler server side you’d need to use a server side js parser and browser environment depending on the complexity of your site you might find it easier to create a network of VM’s and Selenium and run everything client side. Designing a crawler user account would also have to be done carefully, each operation needs to be intercepted and logged, the account itself shouldn’t be able to authenticate and even if compromised shouldn’t allow any operation other than to freeze the account where it was compromised from.
I HEREBY PLACE THIS IDEA IN THE PUBLIC DOMAIN
Thursday, 14 October 2010
It’s been a while for a Hackvertor update, you might have noticed that the old one hasn’t changed in a while. This is because I’ve finally moved it over to the new one with a bunch of new features. I’ll give you a run down of the new tags and features I’ve added. I still have to create the DOM integration using my DOM api I wrote a while ago but this shouldn’t be long, it will allow cool things like building Hackvertor apps that become part of the interface and create real time stuff like IM clients that read current logged in users. In other words Facebook for Hackers.
Sometimes it’s a pain to add tags or find which ones you’re after so I decided to create a simple natural language processor that allows commands like “Convert this to hex then octal and hash it with md5″ and it will build the tags for you. You type into the natural language conversion box, then enter some input select the input if you like then instead of clicking the normal convert button you click the one in the natural language box. Other sentences samples include: “decode hex”, “decode but I can’t remember what it is”, “please hash it with md5″ you get the idea.
Unicode character lookup is pretty cool:-
Enter some input and click unicode_lookup in web services and it will show information about the character. demo
Perform js code on each piece of a string, this replaces the old functionality of hex2dec etc
JS str
Dom injection generator, takes the allowed characters inside the tag and builds a dom injection based on those characters:-
Dom generator
Find the coordinates of a location:-
Find cords
More of this stuff in the new “web services section”.
I’ve also started to create a SQLi section thanks to @lighos’s excellent SQLi cheatsheet
There is also a new “execute” section which will call ideone’s excellent API and execute code in various languages like assembler, perl, php, python, smalltalk, scheme even whitespace if you must.
I’ve also upgraded the inspector to use my astalanumerator along with some new button to “execute fresh javascript” this will allow you to call some javascript without retaining any variables that you have created. The output console will also keep a history of any javascript or html you’ve executed and save it to localStorage, this can be accessed by using the “<” and “>” to go forward and backwards in your history, pretty cool if you’ve copied and pasted something but the browser crashes or you forget to save it. It can be cleared by using the “clear history” button.
There are other new tags but I didn’t really want the blog post to go on forever, oh and if you think something is missing from the old one instead of moaning at me why not write the functionality back 
create some tags!
Monday, 27 September 2010
After using JavaScript for a while one of the worst parts I found was the String.replace function. When I realized it’s behaviour I thought to myself someone is going to use this wrong. The function itself is excellent, I use it all the time as you could probably tell with my code. It is far better than some other languages with the ability to use strings/regexes and provide a function callback for the replacement.
But…it’s default behaviour is designed badly. When using replace most developers assume it works in global mode and the characters you intend to replace will all be replaced. Consider the following pitfall:-
alert(':::'.replace(':',''));//only one : is replaced!
What do you expect? No colons? You are not alone. Unfortunately by default replace assumes you only want to replace one character. Don’t ask me why.
To counteract this Mozilla decided to add a third argument! This is even worse! It makes is even more confusing. Now we have a function that accepts three arguments, first a string/regex, second a string/function and third a flag for the string replacement. We then have a situation where the replacement is global on Firefox and not on every other browser and to top it off, if you use the third flag with a regexp then the regexp won’t of course be global thus adding yet more confusion!
alert(':::'.replace(':','','g'));//replaces all ":" on Firefox but not on other browsers
alert(':::'.replace(/:/,'','g'));//replaces one ":" as the flag only works for strings.
A huge mess I’m sure you’ll agree, IMO the replace function should work globally by default for string arguments with the option to match only once if for some crazy reason it is needed.
The correct way of doing a global replacement is to use regexes because strings don’t even allow you to do a global replacement on all browsers!
alert(':::'.replace(/:/g,''));//The correct way
Finally here is a patch that you can use to prevent your developers making the same mistakes a certain social network made.
String.prototype.replace = (function(r){
return function(find, replace, replaceOnce) {
if(typeof find == 'string' && !replaceOnce) {
find = r.apply(find, [/[\[\]^$*+.?(){}\\\-]/g,function(c) { return '\\'+c; }]);
find = new RegExp(find, 'g');
} else if(typeof find == 'object' && !replaceOnce && !find.global) {
find = new RegExp(find.source, 'g');
}
return r.apply(this, [find,replace]);
}
})(String.prototype.replace);
alert('aaaabbbbb'.replace(/a/,''))