Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by TehFallen

  1. Yeah, mine's a simple setup, but in most real world applications the comments are needed to block out interfering HTML. As for doing it in a single line, it's all open source, we just gotta reverse engineer it and figure something out, I haven't tried embedding source code yet such as <script src="malicious.js"/> that might work.
  2. I'm actually at an University in Arkansas, must be similar subnet, it lets me in now. Try out this test site I threw together: http://pi.webuda.com/hello.php Here's the code: &lt;html&gt; &lt;head&gt; &lt;title&gt;Hello&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;?php $fn = $_POST['fn']; $ln = $_POST['ln']; if($fn==NULL || $ln==NULL)echo "&lt;form action='hello.php' method='post'&gt;First Name: &lt;input name='fn' type='text'/&gt;&lt;br/&gt;Last Name: &lt;input name='ln' type='text'/&gt;&lt;br/&gt;&lt;input type='submit' value='Go'/&gt;&lt;/form&gt;"; else echo "Hello " . $fn . " " . $ln . "!"; ?&gt; &lt;/body&gt; &lt;/html&gt; The way you exploit it would be set your first name as &lt;script&gt;/* and your last name as */alert();&lt;/script&gt; if you do this you should see an alert box.
  3. I'm not at home right now where my code is at but I'll get it up later tonight for sure. It's worked every time for me but I've only been trying it on one site. I'm impressed that Chrome is doing this as well, though in the end it should be the site admins responsibilities, it's nice to know we're helping cover up their shortcomings. [edit] I get a 403 on your site so can't test it. [/edit]
  4. Maybe you need to update your chrome...doesn't work for me, the image loads but the console still gives the "Refused to execute a JavaScript script. Source code of script found within request." error, refusing to execute the javascript. I'm running an up to date (15.0.874.121 m) windows 7 version, I'll boot up debian here in minute and try that out as well. Now there is a header ("X-XSS-Protection: 0") the server can send telling chrome to disable this feature, maybe your testing site is telling chrome not to worry about xss? Chrome apparently be started with an "--disable-xss-auditor" option to do this as well. Take a look at this http://www.opensource.apple.com/source/WebCore/WebCore-658.28/page/XSSAuditor.cpp
  5. I'm pretty sure it's blocking on port, and I thought about your idea but I'm afraid they might analyze the packet data as well, they've cracked down a lot on illegal streaming, downloading, etc lately, and that's part of the reason I'm assuming we can't ssh out, because we could encrypt our data. Interestingly enough though we are allowed to ssh on the internal network (it's a college scenario and I'm a cs major so I ssh into our linux server for assignments quite regularly).
  6. I recognize all that, I've had my fair share of experience in it. There are several sites I routinely checkup on once a year or so for the admins as an unofficial security advisor of sorts, all because I pointed out holes in their site. I by no means claim to know a lot about it, I'm just a script kiddie, but your responses do not seem to address the original post. The original post is a method used to circumvent security measures google chrome has placed for non-persistent xss attacks. If you ignore such things, and yourself use, say firefox, or god forbid internet explorer, and you create an xss attack out of a search page and then hop on the sites chat or forum or wherever and send that link out you're screwed if they're using google chrome. Now yes, the site I found this on has already been notified of their vulnerabilities (as well as an SQL injection issue on the same page with the same inputs) and I also refuse to give the name of the site out. But I came here to post an interesting workaround for a NEW security implementation in modern day browsers. My post had nothing to do with persistent xss, it also had nothing to do with escaping Server side security. That's an entirely different story. My post addressed the issue that google chrome filters out javascript it sees in the page's request. Please read it kind sir. I appreciate the thought but I feel like you've gotten off topic. [edit] Quick testing shows that Chromes anti-xss measures even work against things like onload handlers of images as you had suggested, so the attack '><img onload="javascript:alert();" src= /><input type=' wouldn't work, the server might let it through but if the client you're trying to attack has google chrome it refuses to run the script. [/edit]
  7. Thanks for the feedback, I've actually been to that site and a lot of those methods don't seem to work in modern day browsers, maybe I'm implementing them wrong but it seems, especially Chrome, has cracked down on this lately. I know that the error I was getting is less than a year old, I used to do the exact same XSS attacks in Chrome without it picking up that it was being used in the request, so new security features. I'd never before heard of anybody separating XSS attacks across two inputs before, but then again I hadn't heard of browsers securing against them in such methods, it's always been something that was up to the site admins to cleanse the input. Honestly I don't understand why you would split an XSS attack across two inputs except in this scenario. In addition RSnake's methods seem to address circumventing server side security and not client side security, which as I'm aware is something new. But again, the only reason I was posting this is to share a method I had not seen online (and I looked). But I couldn't find anything about getting around Chrome's client side security. [edit] http://blog.securitee.org/?p=37 It is a relatively new feature, and I managed to find some documentation that mirrored what I discovered, the aim is to get the word out about new security features in Chrome to watch out for and the proper techniques required to get around them. [/edit]
  8. TehFallen

    Xss Attacks

    So today I was testing some XSS vulnerabilities out on a site. It seemed to be working, my script tags were generating but oddly enough the javscript in between them was mysteriously gone, so I took a look at the console and realized I was getting this error: "Refused to execute a JavaScript script. Source code of script found within request." A quick google search confirmed by suspicions, Google Chrome was protecting me >.< Admirable but I wasn't about to let it beat me, so I continued prying around. It even filtered out <meta> redirects. Then I found it. I haven't seen this on the web, but maybe someone else discovered this workaround, maybe not, needless to say I thought it was worth sharing. Let's say we have a search result page with a url of site.com/search.php?query=test&page=1 and the code looks like this: &lt;html&gt; &lt;head&gt;...&lt;/head&gt; &lt;body&gt; ... &lt;input type='text' id='query' name='query' value='test'&gt; ... &lt;input type='hidden' id='page' name='page' value='1'&gt; ... &lt;/body&gt; &lt;/html&gt; The key is that there are two inputs, and if they're both unsanitized and vulnerable to XSS then you're in luck. The way you do this is by assigning query a value of '&gt;&lt;script&gt;/* . The '> breaks out of the input tag, the <script> opens up a Javascript tag, and the key to it all, the /* begins a comment. Now you've halfway beaten the system, time to finish it up. Next it's time to set page equal to '&gt;*/alert();&lt;/script&gt;&lt;input type='hidden . The '> breaks out of the input tag as before, and now, the */ closes the comment, next the alert(); (or any other malicious code), then close the script with a </script>, and lastly I like to properly end it with a hidden input, personal preference. The key here is the comment, it lets us split our attack across the 2 inputs without the html in the middle messing it up. Enjoy! :)
  9. Portknocking seems fascinating, though the OpenVpn looks like a real easy way to implement this. Thanks!
  10. I have a scenario in which I am behind a firewall as restrictive enough to disallow SSH and IRC connections out. But HTTP and HTTPS requests are allowed. So I had this idea, what if I took an external server, did an HTTPS handshake with it, and connected like I was for any old HTTPS connection but the server sees that the request is from me and instead of serving back a webpage it served up an SSH connection or telnet. Actually it could be an unencrypted remote login because the HTTPS would be encrypting it, so for speed it might be better not to use SSH because we'd be double encrypting everything, the nice thing about SSH though is it's easy to proxy internet connections through, so essentially what I'm looking at is setting up a system where I can proxy my internet through HTTPS to my server on the outside and as far as network is concerned it's indistinguishable from real web browsing. Would this be possible? Has anyone done it? Could you point me in the right direction if so?
  11. The problem with adding a new line is I wouldn't know when to do it and when not too, if "Bob" hasn't typed anything into stdin then I don't want to add a new line because it'd produce an out of place blank space and even if even "Bob" had typed part of something, receive a new message, and finished typing his message would be broke into two with the incoming message in between. The problem with python I'm seeing is all it's ways of collecting input rely on the user hitting enter when they're done and I want to be able to see what they've typed as they type it. I did just stumble upon a read() function though that reads a certain amount of characters from the stdin and think I might be able to turn off default echo-ing of keys and use this to read the last character typed, print it, add it to a string, etc etc, still a bit of overkill seeing as all I really need is some sort of read everything function and then clear stdin. I didn't even think about a log but that's a great idea, I'll look into implementing that today at some point. Ideally I would like to have a gui with an input box and a simple text box that displays the conversation as I write out to it, which would actually solve all my input output problems :D I'll look into the debug stuff too, I think I remember reading somewhere that you can redirect stderr to a file in python so the user doesn't get any of it live. Definitely worth a google. Thanks for all the suggestions!
  12. That's really interesting with the modems. But no, I don't think that's the problem, the main loop of the program looks like this: receive().start() try: while 1: conn[s].send(raw_input()) except: print 'Disconnecting' conn[s].close() conn[r].close() receive().start() begins the thread that receives and prints out messages and the other one is pretty self explanatory, it sends everything you type (raw_input() waits for the enter key so it just loops around), the except statement gets called if you ctrl+c out of the loop because a KeyboardInterrupt is considered an error, problem is it hangs on the 2 lines where it should be disconnecting, my only guess is it's waiting on some confirmation from the other client before disconnecting? On a side note I just realized the except isn't really necessary so I'll probably eliminate that and yes, I will get around to coding some basic commands that let you disconnect properly without having to ctrl+c. //edit Here's what happens when I run the program and try to quit: user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: c Host address: Port: 1212 sent -&gt; Hello With both the server and client successfully running I say "Hello" to the server. user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: s Port: 1212 received -&gt; Hello The server gets the "Hello" message just fine. user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: s Port: 1212 Hello ^CDisconnecting ^C I press ctrl+c on the server (note, this same problem happens regardless of whether ctrl+c is pressed on the client or the server). user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: c Host address: Port: 1212 Hello The client shows nothing, doesn't know that the server is trying to disconnect (which is how it should look). user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: c Host address: Port: 1212 Hello ^CDisconnecting Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner self.run() File "./pyCHAT.py", line 51, in run data = conn[r].recv(2048) File "/usr/lib/python2.7/socket.py", line 170, in _dummy raise error(EBADF, 'Bad file descriptor') error: [Errno 9] Bad file descriptor user@computer:~/chat-python$ I press ctrl+c on the client, error is thrown and returns me to the command line. user@computer:~/chat-python$ ./pyCHAT.py Server(s) or Client(c) mode: s Port: 1212 Hello ^CDisconnecting ^CException in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner self.run() File "./pyCHAT.py", line 51, in run data = conn[r].recv(2048) File "/usr/lib/python2.7/socket.py", line 170, in _dummy raise error(EBADF, 'Bad file descriptor') error: [Errno 9] Bad file descriptor Exception KeyboardInterrupt in &lt;module 'threading' from '/usr/lib/python2.7/threading.pyc'&gt; ignored user@computer:~/chat-python$ The server also throws an error and exits to the command line.
  13. I'm working on a simple python chat application: http://paste.pound-python.org/show/9689/ But I'm having a few problems that I'll list below: 1) Say Bob and Sue are chatting, if Bob has typed out half a message and then Sue sends her message Sue's message gets appended to Bob's and a newline is creating, if Bob hits enter his half typed message is sent but the problem is it's not very visually appealing and can create quite a mess if someone would want to read back over their conversation. What I really want to do is every time a new message is received, get the value of stdin, clear stdin, print the new message, set stdin to value got earlier. Problem is I have yet to figure out a way to do this. 2) When using ctrl+c to quit it doesn't do a clean exit, you have to ctrl+c on both ends of the chat client before they both quit, not sure why. Any help would be appreciated! Thanks in advance.
  14. It looks amazing! I'm definitely interested. Actually Azn I have a question. Could you perhaps look at this post and tell me if you think the concept I described would be possible with your code?
  15. Well yes but the point is not that. With a restricted account, this account even has parental controls enabled, xcode was able to write to a location that the user has no access to. Not saying it's completely possible but with experimentation you might be able to exploit it to write any file over any location. Adding all sorts of things. Overwriting host files, network sharing preferences, and maybe even get to the point of gaining a root shell for a person that began with no privileges at all. Though I could be totally wrong and deserve the title 'Newbie'
  16. That's an interesting idea but rather than send commands from another device to the the teensy i'm talking about sending data from the computer to the teensy, but you could apply his code and concept to it. As I was saying pretend to be usb headphones...receiving all the audio output from the computer. Then via ftp, external media or some other place run a program, maybe written in autoit but could be c++, or anything. This program would take an arguement in the cmd line of the data you want to send. example: /Teensy_Media/audio_encode.exe -data "ipaddress_here" or whatever data you want to send to it. The program could use Azn's code to encode the data in audio signals and send it to the teensy, which could receive these signals by pretending to be the headphones or speakers. This would enable the teensy to act differently based on information of the computer giving the user much more control.
  17. Just saw something interesting last night. I was working in Xcode on an imac running OSX version 10.6.2. I had a project open it's location being Volumes/My Book/xcode/sourcecode/xcode/project.xcoddeproj (yes the path is wonderfully descriptive) but anyways I was running into some compiling problems i'd never run into before and was using the new xcode for the first time. a quick google suggested removing spaces in my path name so i just went to finder and renamed my external hdd from "My Book" to "MyBook." Then went back to xcode and hit compile. Of course errors out the wall, I had just changed the file path of an open project. What an idiot. It started asking me if i wanted to resave my open files where too etc. I don't actually remember what all i clicked before I realized that it had messed up because of the path. Well today I get on and I go to my volumes folder and was gunna add a shortcut there name "My Book" to link to "MyBook" so all my other shortcuts on my dock, etc still worked. Simple enough. Well I get to the Volumes folder an woah there's a folder there called "My Book". Now everything i'd done was on a standard account that doesn't have write access to the Volumes folder. I can't delete the "My Book" folder without admin privileges, can't change it or anything. It's empty but that's probably because I aborted the compiling process before it could write out everything. So I was thinking...would it be possible to put together an xcode project, one that had certain target files, files you wanted overwritten, say system preference files, etc. Make them a target and compile your xcode project. Somehow it gets privileges and can write to places your user can't. Could be interesting. Maybe it could also set certain resources as files and when you release-deploy it'll package those files in your dmg, in a format you could read. Not sure if any of this is plausible, just something interesting that i'll be testing later.
  18. Ever seen one of those usb ethernet adapters? How about a usb wifi adapter? Usb bluetooth adapter? All three receive packets from the computer. Some more interesting ideas would be pretend to be a pair of usb headphones...it'd be slower as you'd have to send the data back in blips, like morsecode. Give every character it's own frequency, then instead of checking the sound itself just have the teensy check the frequency of it and use that as input to it. It's a little round-a-bout and inefficient but an interesting thought. No offense but any of these are better than the monitor idea (simply because guessing at the computer default monitor setup would be guesswork at best and if it's set up as extended desktop you'd run into problems. And of course the easiest way for input would be, as other topics are discussing, emulate a flash drive (personally i'd emulate an external hdd, in most networks they're not locked down. My network for example does not allow applications to run from flash drives but external hdds get around that) and just save files to that and have teensy read those files. Just a couple of quick thoughts, hope they help. I'm about to head of to newegg and browse there usb devices and see if I can think of any other ways to get data back, though personally i'm in favor of the ethernet adapter :)
  • Create New...