I know I haven't posted anything here for a good while, but that's because on top of uni work I have a surprise up my sleeve in the not so distant future. I also do intend to continue working on .NETIDS when I finally get some time! This is not that surprising... but something I found interesting. A certain musical group, whom I will not name here, recently changed their forum onto a new proprietary system.
Just thought I'd share the following script vector with you all that I came up with while stressing PHPIDS today: {% highlight javascript %} l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a=0 || (y) + (x),b=1[a](d),c=0 || (m) + (l),1[a](b[c](1)); {% endhighlight %} Put that inside a script block and believe it or not it will eval the text after the fragment identifier.
There's such a wealth of new XSS vectors coming out of the work on phpids that I couldn't resist sharing a few of the tastier morsels here. The original thread is over at sla.ckers if you want to read it there!
Whilst working on the next release of .NETIDS I came across some interesting info about the parsing of numbers within JavaScript - information that is of particular relevance when it comes to filtering against String.fromCharCode injection attempts. The first item of interest is that JavaScript will parse hexadecimal in the form 0xYY even when not enclosed in quotes (ie. as a string), so this can be used in fromCharCode.
This is a well known trick that I just wanted to share as it is so crucial in preventing effective XSS attacks in Internet Explorer (and hopefully soon FireFox). Anyway, the method is simple, whack this under the <system.web> section of your web.config file: {% highlight xml %} {% endhighlight %} Tada! HttpOnly cookies in .NET 2.0 was originally published by Martin Paul Eve at Martin Paul Eve on June 26, 2007.
One of the questions I see most frequently on Freenode's ##csharp irc channel is how to use a MySql Database in .NET. I've therefore provided the class that I use for basic database operations.
Just a quick note to announce the release of .NETIDS v.0.1.1.0 - a small update that adds some valuable features: Fixed bug of empty Report.Tags object Added options to SecurePage to disable each type of scanning Updated filters Most significantly this means that you can control whether page Output Scanning is performed from a SecurePage derived page.
DataExecutor.cs: {% highlight csharp %} // // DataExecutor.cs // // Authors: // Martin Eve (martin@2bitpie.net) // // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND // NONINFRINGEMENT.
I was interested to see in a XSS/CSRF exploit the following lines: {% highlight php %} if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff)) { print ''; } {% endhighlight %} This is obviously designed to be included in a PHP script which should then be included as part of a XSS attack and causes a CSRF attack on IPB to promote a user to administrator status.
After much testing/tweaking the first release of .NETIDS is upon us! Featured in this release: automatic String.fromCharcode conversion and detection new and optimized filter rules improved halfwidth/fullwidth encoding detection enhanced UTF7 converter enhanced nullbyte detection page output/fragmented XSS scanning .NETIDS .NETIDS v.0.1.0.0 released was originally published by Martin Paul Eve at Martin Paul Eve on June 19, 2007.
Today I made some large commits to the .NETIDS project to enable detection of fragmented XSS attacks. For an example of what a fragmented attacks looks like, have a look at the .NETIDS SmokeTest.