I was interested to see in a XSS/CSRF exploit the following lines: {% highlight php %} if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff)) { print ''; } {% endhighlight %} This is obviously designed to be included in a PHP script which should then be included as part of a XSS attack and causes a CSRF attack on IPB to promote a user to administrator status.

After much testing/tweaking the first release of .NETIDS is upon us! Featured in this release: automatic String.fromCharcode conversion and detection new and optimized filter rules improved halfwidth/fullwidth encoding detection enhanced UTF7 converter enhanced nullbyte detection page output/fragmented XSS scanning .NETIDS .NETIDS v.0.1.0.0 released was originally published by Martin Paul Eve at Martin Paul Eve on June 19, 2007.

Today I made some large commits to the .NETIDS project to enable detection of fragmented XSS attacks. For an example of what a fragmented attacks looks like, have a look at the .NETIDS SmokeTest.

Following on from a post on sla.ckers it emerges that Firefox has a vulnerability/bug that is very difficult to filter against and allows a fragmented XSS attack. This is best illustrated by the following example: {% highlight html %} test link {% endhighlight %} The conditions for the XSS working are 2 injection points. Injection point 1 must be inside an HTML comment whilst injection point 2 is inside a double quoted attributed.

Today there were 5 flaws for Firefox and IE6/7 unveiled - 2 for IE and 3 for Firefox. Michal Zalewski disclosed 3 at http://seclists.org/fulldisclosure/2007/Jun/0026.html and the other can be found at http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/. A bad day for browsers was originally published by Martin Paul Eve at Martin Paul Eve on June 05, 2007.

Just a quick note to announce the start of dotnetids, a port of phpids to the .NET Framework. http://code.google.com/p/dotnetids/ dotnetids was originally published by Martin Paul Eve at Martin Paul Eve on May 25, 2007.

This morning I knocked up some proof of concept code to illustrate the retrieval of one-time authentication tokens. The situation in which this is handy is when a site follows best practices and implements a one-time authentication token, but is vulnerable to a XSS attack. A one-time authentication token is a hidden value implanted into either a link or form.

This page is designed to give an overview of Cross Site Scripting attacks on web sites, how they come into being, how to exploit them and how to protect against them. To fully comprehend Cross Site Scripting, or XSS as it is known (CSS is NOT used as an abbreviation because it causes confusion when talking about Cascading Style Sheets), it is necessary to have a basic understanding of (X)HTML, JavaScript and Server Side Scripting.

Enter JavaScript in the box below and press "encode":

GNUCITIZEN has been going on about this for some time now, but the truly devastating impact of what he has been saying only actually hit me today when reading about his JavaScript interface to Johnny's Google Hacking Database. The scenario is as follows. The interface contains NO SERVER SIDE SCRIPTS and no iframes or other such methods for loading offsite data but instead utilises the JSON data format to include remote script files.

ha.ckers are reporting that their book on Cross Site Scripting has finally been released! Buy a copy at Amazon! RSnake + Jeremiah Grossman's Book Released was originally published by Martin Paul Eve at Martin Paul Eve on May 20, 2007.