Showing posts with label XSS. Show all posts
Showing posts with label XSS. Show all posts

Wednesday, 16 October 2013

About.me Cookie Based XSS

About.me suffered from a Cross Site Scripting flaw I found a few days ago. The interesting thing about this flaw is that it was cookie based. The following post details how I found it and what I did to confirm that it was exploitable, it also discusses some interesting points to consider when you find a XSS triggered by Cookie Values.



Monday, 27 May 2013

Wordpress Plugin - ADIF Log Search Widget XSS Vulnerability

# Exploit Title: ADIF Log Search Widget XSS Vulnerability
# Google Dork:
# Date: 26/05/13
# Exploit Author: k3170makan
# Version: 1.0e
# Tested on: Ubuntu 12.04.2 LTS
Wordpress ADIF log book search plugin widget suffers from a Cross Site Scripting vulnerability.

Saturday, 29 December 2012

Word Press Photo Plus Photo Search XSS/CSRF Vulnerability

The WordPress Photo Plus plugin suffers from a XSS/CSRF  Vulnerability.


# Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability
# Google Dork: inurl:plugins +inurl:wp-photo-album-plus +intext:"Photo Search"
# Date: 29/12/12
# Exploit Author: k3170makan
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Software Link: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Version: 4.8.11
# Tested on: Ubuntu 10.04

Saturday, 20 October 2012

Beating Trivial Server Side Filters With WebKit

I've just started reading an awesome book and I thought I'd share some of my findings with you. I'll share the title of the book at the end of the post, and I must say its a must read for anyone trying to master XSS attacks.

That being said lets get down to business

Browser Languages

Lost in translation

Quick question what languages does your browser parse or "recognize" for you language theorists and computer scientists out there? Did you answer HTML,HMTL+,HTML2.0,XHTML,JavaScript,VBScript,etc? Well then, you are supposed to be right, but in strict terms this is not entirely true! If the set of languages B---which is commonly understood as the browser language---is the set of languages containing HMTL,XHTML,JavaScript,etc. only then this not the language your browser recognizes. Your browser actually recognizes a lot more, in the case of WebKit browsers---especially Chrome, which is what I based my research on here---HTML*---including all HTML versions---is actually bigger by at least 10 elements per standard element---by this I mean for every <a></a> element there are at least 10 equivalent <a></a> elements,I'll show you why in a bit.

Wednesday, 18 July 2012

WebKit XSSAuditor : The XSS catalyst

---Google:"Chrome 18 anti XSS bypass" and feel lucky ;)
 
A while ago I released a bypass for the webkit XSSAuditor in Chrome, I thought I'd honor it with a blog post and discuss another danger the XSSAuditor presents to web application security. This 'danger' of XSS filters has been published in a very popular paper---http://www.collinjackson.com/research/xssauditor.pdf--- about some XSS filters. What I'm doing here is demonstrating whats described.
XSSAuditor is part of WebKit's HTML parser and exists to try and mitigate reflected XSS attacks. Unfortunately because of how the auditor operates it can often have quite the opposite effect!
In this post I'll explain the situations where XSSAuditor can actually have the adverse effect on a web application's protection against XSS attacks.

Monday, 16 July 2012

NoNoScript : ByPassing NoScript's XSS filters via Error Basd SQLi

NoScript is a firefox add-on or `extension' in charge of stopping reflected XSS attacks. It operates by inspecting and auditing responses---much like other XSS filters---AND requests made by browsers.

Largely NoScript provides a great service, and manages to stop most attacks provided that the injection data is recognizable in the requests---meaning both POST and GET requests. Though because of how it works, when injection data
is not recognizable in requests, NoScript---and for that matter no other XSS filters---will be able to detect the attacks. This largely happens when data is injected in encrypted/hashed/encoded* format.  

granted some encodings are accounted for in NoScript and other XSS filters, don't expect to get around the best XSS filters known to man by simply %-encoding your injection data!

One example of a XSS attack where payloads are injected in a way that is not
recognizable to NoScript is in SQL injections. Namely Error Based SQL injection. The following demonstration will show you how to beat NoScript using
MySQL error based injection.

Sunday, 22 January 2012

Injecting javascript via MySQL error based injection

I've written about this in a couple of other articles, but I needed it to be on my new blog because it makes a good attack especially when dealing with MySQL databases, because:

  • MySQL on *nix servers can be configured pretty well, making access to the database very difficult and therefore pwnage can be very difficult!!
  • You have the ability to extend MySQL Error based injection into other attacks that may not be viable on the web application like:
    • non-persistent XSS
    • Defacement of the site
    • HTTP parameter pollution
    • DDos (more on this in another post!!) ---using this web application to make requests to other servers at the expense of the person visiting the page