Skip to content

Firefox javascript sandboxing

As a technical challenge and maybe in future to allow Hackvertor to execute javascript code from the user. I decided to create a javascript sandbox.

It works by first running the code through a new Function constructor and tosource, the reason for this is that Firefox actually converts the code supplied e.g. ‘te\st’ becomes ‘test’ etc. Then a private function is created to handle the supplied code, it loops through global objects and assigns each of them as a local variable to remove dangerous functions. Underscores are removed from the code because I found it impossible to secure __parent__ as it cannot be redefined. The global Function is overwritten and the constructor to prevent access to new Function() calls.

Giorgio Maone found some excellent holes in my code which hopefully I’ve fixed now. Giorgio makes the excellent noscript simply the best Firefox extension on the net! Thanks Giorgio :)

Update…

Waldo on the slackers forum found some excellent vectors to slip through the sandbox. I’ve updated the script to take into account that there are millions of ways to return to the window object in Javascript. This time I’ve changed the sandbox to nullify the actual window object properties and restore them when the sandbox is run. Big thanks to Waldo for the awesome stuff, more of his sandbox breaking (for Facebook) can be viewed here.

So join in the fun and see if you can execute code:-
Firefox sandbox

Submit any alert executions here

Posted 22 February 2008 Gareth Heyes § Security § javascript § xss Comments (0)

Hackvertlets

I thought about adding basic bookmarklets to Hackvertor but then I had an idea..wouldn’t it be cool if you could create your own :) This simple yet powerful feature will allow you to perform a Hackvertor conversion on any text from any web page. This means you can convert a selection of text to hex entities, urlencoded string, base64 or all of them at once if you like!

How to create

1. Click the Hackvertlet button (Make sure there’s no text in the input box)
2. Choose the tags you would like to perform the conversions.
3. Click the Hackvertlet button again.
4. Give the Hackvertlet a descriptive name like “urlencode”
5. Drag the link to your bookmarks.

So what are you waiting for go make your life easier with Hackvertlets:-
Hackvertor

Please note I’ve designed this for Firefox only.

Posted 15 February 2008 Gareth Heyes § Security § hackvertor Comments (0)

Hackvertor fixes

Simplicity is always the best policy

I’ve finally and completely (I hope) fixed nested tags. This was an absolute nightmare to solve because the engine kept matching the wrong sets of tags. For example if you placed the following tags in Hackvertor:-

<hex_ent><hex_ent>test</hex_ent></hex_ent>

Hackvertor wouldn’t know which one it should convert first, the way to actually solve the problem would be to match the first ending tag and look backwards in regular expressions to find the next starting tag but….Javascript doesn’t support lookbehind correctly. I tried numerous regular expressions to solve this problem and today I just thought to myself that there must be a easier way…I was right :) Simply appending a unique number to a tag makes each tag different and therefore solving the problem, the result :-
Multiple tags

IE fix

Internet Explorer now supports the base64 encoding functions and URL’s, I thought this was already the case but it turns out that the base64 code I added was missing a few things. I’ve fixed it now though so they should work fine in IE.

More vectors

I recently discovered that you can use zero spaced named entities in Javascript (when in a url), I thought it would be a good idea to add them into Hackvertor so here you go:-
Zero spaced entities

Posted 14 February 2008 Gareth Heyes § Security § hackvertor § javascript Comments (0)

Total Recall No Javascript

My friend Ronald has a excellent post where he uses XML to gather entities from the various extensions to check if they are installed. Awesome stuff! The problem though is that it requires Javascript to be successful. I wanted a way to check any extension even if they had Javascript disabled or noscript installed. The following POC detects noscript even when you have a site as untrusted.

Check the POC here (detects just noscript at the moment):-
Total Recall noscript

Source

kuza55 (Alex) also did a great POC with CSS:-
CSS extension detect

Posted 14 February 2008 Gareth Heyes § Security Comments (4)

CSRF chat

You may think adding tokens to your forms will completely protect you from CSRF, you’d be wrong. I’ve shown in previous blog entries how you can use CSS overlays to bypass tokens. I decided to create a real world example which uses these techniques to create something cool. The world’s first CSRF chat! I got a couple of friends to try it out on various browsers and we could successfully communicate in pretty much real time.

Try it out here:-
CSRF chat

The technique uses delicious as a central hub to store the chat data, using a bookmarked url as a username and the description as chat data. A login is performed first using a hidden iframe with one delicious account shared between chat users. Another iframe is then used to load the messages, using JSON which is provided by delicious the chat data is then displayed. Confirmation is required because delicious uses tokens, I simply overlay the request using yet another iframe which displays the save button from the delicious web site.

Big thanks to David, Ronald, Mario and everyone else who helped test the chat room.

Posted 11 February 2008 Gareth Heyes § Security § csrf Comments (7)

Moz-binding XSS fun

CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like you would see in HTML entities or Unicode Javascript. The link contains a Hackvertor URL to help you with the conversion.

You can do the same conversion on the value of the property, so the url of the moz-binding payload: //businessinfo.co.uk/labs/xbl/xbl.xml#xss becomes : \2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62
\73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73

I hope you’re following so far, we can now take the property string and encode it further, crazy eh? Any part of the property can now be encoded with html entities. I went for the backslash and malformed entities but you can experiment with different combinations. The property “\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67″ now becomes: &#x5c2d&#x5c6d&#x5c6f&#x5c7a&#x5c2d&#x5c62&#x5c69&
#x5c6e&#x5c64&#x5c69&#x5c6e&#x5c67.

Here is the final vector with a link to hackvertor for testing:-
The final vector

Posted 04 February 2008 Gareth Heyes § Cascading Style Sheets § Security § xss Comments (6)

Javascript regular expressions

Ronald and I had a good conversation about Javascript regular expressions comparing them to PHP. He was having difficultly with the syntax because he was used to preg in PHP so I promised to share my knowledge gained from developing various online scripts.

First up preg_match in PHP can be achieved using the match function in Javascript, they are both very similar but it’s just a matter of getting your head round the different syntax. Match is part of the String object and here is how to use it:-

alert('Test'.match(/[a-z]/))

You can match subpatterns like this (I’ve tried to keep it close to PHP syntax as possible):-

pattern = /([a-z]+)([0-9]+)([A-Z]+)/;
subject = 'test1234TEST';
matches = subject.match(pattern);
match1 = matches[1];
match2 = matches[2];
match3 = matches[3];
alert(match1);
alert(match2);
alert(match3);

You can also create matches using the RegExp object, this is useful for passing variables into the pattern which to my knowledge isn’t possible with “//” syntax.

a = 'a+';
alert(new RegExp(a).exec('123aaaabcdef'));

The exec method can also be called from “//” patterns.

alert((/[0-9]+/).exec('12345abcdef'))

Javascript supports the modifiers “g”, “i” and “m”, here’s how to use them with “//” syntax:-

matches = 'ababababababa'.match(/[a]/g);
alert(matches);
alert(matches.length);

Here’s how to use modifiers with the RegExp object:-

alert(RegExp('[test]+','i').exec('TeSt'))

Ok I hope you’re following so far, I’m going to move onto replace now and how to use the various combinations.

Here’s how to use replace, notice how only one “t” is replaced:-

str = 'test';
alert(str.replace('t','x'))

In order to match more than one instance of the string and use a regular expression you have to do the following:-

alert('test'.replace(/t/g,'x'))

Javascript also supports anonymous functions within replace which is really powerful, you can even nest the replaces and perform other logic:-

alert('teeest'.replace(/e+/g, function(str) {
  return str.replace(/e/g,'x');
}));

You can also use parenthesis with replace and match the subpatterns like this:-

alert('567'.replace(/([0-9])([0-9])([0-9])/,'$3$2$1'));

That’s all for now I may follow up this article at a later date when I have some spare time, I hope you enjoyed it.

Posted 01 February 2008 Gareth Heyes § Security § javascript § php § regular expressions Comments (3)

Google payloads

Description

Google has a cool free service for hosting open source projects which allows you to manage your source code over svn. You can also view the contents anonymously but because some files directly output their contents it’s possible to use this service to host malicious server reflected attacks. The lack of any form of CAPTCHA also makes it easy for an attacker to automate this process.

POC

The following proof of concept uses the anonymous feature to include a HTML file which really contains javascript:-
Google payload poc

Recommendation

All file types should be forced to download when viewing their contents anonymously

Posted 30 January 2008 Gareth Heyes § Security Comments (2)

Unicode half and full width conversion

I’ve been reading a lot about unicode over the past few weeks and I decided to add full/half conversion into Hackvertor as a learning exercise. It’s useful for testing IDS systems because certain web servers automatically convert the characters into the normal ASCII range.

Check it out here:-
Unicode demo

You can even assign a custom prefix to the conversion allowing you to produce urlencoded escapes or javascript escapes, a demo of that is available here:-
Custom prefix

Update..

Modified the prefixes slightly to allow hex entities as well:-
Entity demo

Another update..

It supports direct conversion of characters now:-
Direct conversion

Posted 23 January 2008 Gareth Heyes § Security § hackvertor Comments (3)

Code morphing

I’ve been working on a small project with the eventual goal of producing random morphing javascript. It’s still early stages at the moment but I’d thought I’d release it now because then I might get some motivation to improve it. I plan to add this functionality into Hackvertor as well as Spambam in future.

At the moment the script has multiple modes, the random mode selects parts of the source to encode and the other modes allow you to continually encode Javascript. The main problem with continually encoding is that the size of the source increases each time, I’ve had some great suggestions from Ronald, Mario and sirdarckcat and I plan to incorporate these into the next release.

Bugs

This is early code so there are quite a few bugs, the random mode doesn’t work all the time because some encoding methods return errors. Variables mode doesn’t work correctly yet as there’s a slight bug. I also need to improve the regular expressions for matching functions and then encoding with unicode. The unicode mode will also support double or maybe even triple encoding using multiple evals to return the desired string, this might take a bit of work to do but I think it will be worth it :)

Check it out here:-
Code morpher

Posted 21 January 2008 Gareth Heyes § Security § javascript § xss Comments (4)