Well, it's not security related, but I thought it was worth sharing my solution for all those people who are having trouble binding either ApplicationSettings or any other datasource to a RadioButton in the .NET Framework (C# and VB.NET) WinForms environment. The problem is that when binding a RadioButton's Checked property clicking on a differentbutton in the set will not select the new option, but merely deselect all options.

Just a quick post to draw attention to Ronald's excellent article at http://www.0x000000.com/?i=525 where he has pulled off a very interesting remote file access in IE7. The attack works by including an invalid DTD on an XML file which then streams the content of the requested file in its error message. Use IE7? Be afraid. IE7 Remote File Access was originally published by Martin Paul Eve at Martin Paul Eve on March 05, 2008.

Well, I decided to play around a little with Firefox 3 Beta 3 today and discovered that it looks like the ever popular -moz-binding css attribute is now rendered a little less useful. It is now impossible to load off-site XBL via this method. However, all is not lost.

Well, today I deployed an early version of my wp-aspxrewriter component to my personal blog. This component is an ASP.NET HttpModule in conjunction with a Wordpress plugin and code hack (official patch for the hack submitted at their trac site) which allows 100% pretty permalinks under IIS6. The current mechanism is grim. A request to a non-existent .aspx page invokes the handler.

Well, long time no post. Been in hospital. Been busy with college. Life gets in the way of hacking. Usually when one wast to illustrate an XSS vulnerability there are two approaches. The first is to show the client the XSS and assume that they know and understand the impact. The second is to write a fully fledged exploit which takes some form of action on the client's server so that they can see the truly devastating impact.

There's been a fair bit of discussion going on at slackers on the security implications of the Unicode characters U+202D and U+202E which switch the left-to-right and right-to-left encoding of the following text.

One of the biggest problems faced when writing Javascript that modifies the DOM is the fact that the poorly written IE7 crashes because it hasn't finished loading the current element. This only seems to happen when the DOM is modified through a script loaded by an xx:expression binding in a style tag.

I know I haven't posted anything here for a good while, but that's because on top of uni work I have a surprise up my sleeve in the not so distant future. I also do intend to continue working on .NETIDS when I finally get some time! This is not that surprising... but something I found interesting. A certain musical group, whom I will not name here, recently changed their forum onto a new proprietary system.

Whilst working on the next release of .NETIDS I came across some interesting info about the parsing of numbers within JavaScript - information that is of particular relevance when it comes to filtering against String.fromCharCode injection attempts. The first item of interest is that JavaScript will parse hexadecimal in the form 0xYY even when not enclosed in quotes (ie. as a string), so this can be used in fromCharCode.

Just thought I'd share the following script vector with you all that I came up with while stressing PHPIDS today: {% highlight javascript %} l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a=0 || (y) + (x),b=1[a](d),c=0 || (m) + (l),1[a](b[c](1)); {% endhighlight %} Put that inside a script block and believe it or not it will eval the text after the fragment identifier.

There's such a wealth of new XSS vectors coming out of the work on phpids that I couldn't resist sharing a few of the tastier morsels here. The original thread is over at sla.ckers if you want to read it there!