gmane.comp.security.websecurity

Re: Need some help with one XSS Vector

Jeff Williams — 2012-05-22T20:58:01

What happens when you send </script>. Why doesn't it work?  Is escaped or validated?  Can you bypass validation?

--Jeff



On May 21, 2012, at 1:49 PM, Spam Catcher <rrspam< at >hotmail.co.uk> wrote:


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

Spam Catcher — 2012-05-21T17:49:13

You could try using http://www.w3schools.com/jsref/jsref_fromcharcode.asp

Then you should not need to include any ' in your string and the app will hopefully not add anything to break the javascript.

-----Original Message-----

From: Aaron Devaney
Sent: 21 May 2012 16:14:12 GMT
To: websecurity< at >lists.webappsec.org
Subject: Re: [WEB SECURITY] Need some help with one XSS Vector

Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?

So in your example you could try        \' + document.cookie;//

Which then might give the following

<script type="text/javascript">alert('No Information is found for the
card 1\\'+ document.cookie);//');</script>

I didn't test it but it looks like it might work depending on how the
filter is working.

Regards
Aaron

-----Original Message-----
From: websecurity-bounces< at >lists.webappsec.org
[mailto:websecurity-bounces< at >lists.webappsec.org] On Behalf Of
websecurity-request< at >lists.webappsec.org
Sent: 19 May 20

Re: Need some help with one XSS Vector

Aaron Devaney — 2012-05-21T08:26:21

Hi,
Have you tried using a slash before the single quote so that the escape
is performed on the slash that is escaping the quote?

So in your example you could try        \' + document.cookie;//

Which then might give the following

<script type="text/javascript">alert('No Information is found for the
card 1\\'+ document.cookie);//');</script>

I didn't test it but it looks like it might work depending on how the
filter is working.

Regards
Aaron

-----Original Message-----
From: websecurity-bounces< at >lists.webappsec.org
[mailto:websecurity-bounces< at >lists.webappsec.org] On Behalf Of
websecurity-request< at >lists.webappsec.org
Sent: 19 May 2012 04:15
To: websecurity< at >lists.webappsec.org
Subject: websecurity Digest, Vol 17, Issue 6

Send websecurity mailing list submissions to
websecurity< at >lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org

or, via email, send a message with subject or body 'help' to
websecurity

Re: Need some help with one XSS Vector

MaXe — 2012-05-20T04:42:51

No problem, it's a common misunderstanding (for developers) to only encode
quotes (") and apostrophes (') but not backslashes (\) :-)

But the good thing is, at least they're encoding quotes and hopefully
apostrophes too (where it's appropriate), compared to like 5 years ago when
almost no one was encoding anything.


Best regards,
MaXe

On Sat, 19 May 2012 13:12:28 +0530, Chintan Dave <davechintan< at >gmail.com>
wrote:
<davechintan< at >gmail.com>
any
Input
out
found
found

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

Chintan Dave — 2012-05-19T07:42:28

Yes actually, we were able to bypass using the same technique.

We just injected an extra slash to nullify escaping & ended the payload with comment

Appreciate all your help.

Sorry for brevity, sent from my iPod,

Thanks,
Chintan

On 19-May-2012, at 12:37 PM, MaXe <owasp< at >intern0t.net> wrote:


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Need some help with one XSS Vector

MaXe — 2012-05-19T07:07:52

If backslashes aren't escaped properly (with a backslash), try this:
\');alert(/TestString/.source);//

This should result in:
<script type="text/javascript">alert('No Information is found for the card
\\');alert(/TestString/.source);//');</script>

If there's two backslashes, the first one will nullify (escape) the second
one, meaning the apostrophe won't be escaped.


Best regards,
MaXe


On Fri, 18 May 2012 12:04:59 +0530, Chintan Dave <davechintan< at >gmail.com>
wrote:
way
is
card
of
output
for
working.
for

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

[Announcement] ClubHack Magazine Issue 28,May 2012 Released

Abhijeet Patil — 2012-05-21T06:13:43

Dear All,

Here we are with the 28th issue of ClubHack Magazine.

This issue covers following articles:-

0x00 Tech Gyan - Steganography over covert channels
0x01 Tool Gyan - Kautilya
0x02 Mom's Guide - HTTPS (Hyper Text Transfer Protocol Secure)
0x03 Legal Gyan - Section 66C - Punishment for identity theft
0x04 Code Gyan - Don’t Get Injected – Fix Your Code
0x05 Poster - "Look both side before crossing one way track"

Check http://chmag.in/ for articles.
PDF version can be download from:- http://chmag.in/issue/may2012.pdf

Send us your feedback, articles at info< at >chmag.in

Regards,
Team CHMag
http://chmag.in/
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Need some help with one XSS Vector

Chintan Dave — 2012-05-18T06:34:59

Hi,

I am running into one issue with XSS and was interested if there is any way
I can bypass it.
Following the response code where user supplied input is embedded. Input is
taken via a text box.

*<script type="text/javascript">alert('No Information is found for the card
1');</script>*

User supplied input *1* is highlighted in red. I am trying to break out of
this alert box, however when a single quote is given as input, the output
is escaped using a backslash. It is as follows:
*
Input:*     *1'**
Output:** <script type="text/javascript">alert('No Information is found for
the card 1\'');</script>*

I am using IE 8 and tried using back ticks just to check if I can get
around this limitation, however it did not work.
Any suggestion on how to break out of this would be much helpful.

All characters except the *single quote, <!-- and </script>* are working.
Using a

I tried the following vector to escape out:

*Input:*     *1`);alert(1);(`'**);**
Output:** <script type="text/javascript">alert('No Information

New Open Source Web Application VulnerabilityScanner Available

Dermot Blair — 2012-05-15T21:37:48

Hi All,
There is a new web application vulnerability scanner available. It is called WebVulScan and it is open source. Here is the link for it if you want to check it out: http://code.google.com/p/webvulscan/
Regards,
Dermot Blair       _______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: Classic examples for secure webapps

Nick Owen — 2012-05-15T16:13:39

I'm a fan of Plone:  http://plone.org/products/plone/security/overview

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Classic examples for secure webapps

Sebastian Schinzel — 2012-05-15T10:50:52

Dear all,

Two examples come to my mind when I think about classic examples of
secure software development: OpenSSH and Qmail. Both

a) were designed with security in mind
b) were heavily audited (--> open source)
c) are widely used in security sensitive environments for long times (> 10 years) 
d) had relatively few known security bugs despite b), and c).

My question is:
Are there any web applications that can be seen as a classic example of
secure software development on the web (similar to OpenSSH and  Qmail
in the network service area)?

Thanks,
Sebastian

---
Sebastian Schinzel

Universität Erlangen-Nürnberg
Lehrstuhl für Informatik 1
IT-Sicherheitsinfrastrukturen

Web: http://www1.cs.fau.de/
Twitter:http://twitter.com/seecurity








_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

Breakpoint 2012 Call For Papers

2012-05-10T11:48:16

                 . ______________________________________
                 ._\\.         Breakpoint 2012           (___.
                 :          Intercontinental Rialto          :
                 :           Melbourne,  Australia           :
                 :             October 17th-18th             :
                 :__                                    . ___:
                    )____________________________________\\
                                                            .
                          www.ruxconbreakpoint.com
                          www.twitter.com/ruxconbpx



Introduction
------------

 Breakpoint is a new security conference to be held on the 17th and 18th of
 October, in Melbourne Australia. The event will show case the work of expert
 security researchers from around the world on a wide range of topics.
 Breakpoint is organised by the Ruxcon conference team and will offer a
 specialised and more professional security conference to complement and lead
 into the larger and

Bypassing web antiviruses and attack via tablescorruption in MySQL

MustLive — 2012-05-05T20:50:36

Hello participants of Mailing List.

As I've wrote last month in the list, I've presented full translation of my
articles (in a form of new complex article), which I told
you briefly in my post Bypassing of security mechanisms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html).
And now I will tell you about other my articles, written in September 2011
and in April 2012. Request full translation of any of them if needed.

I'll tell you briefly about my two articles concerning bypassing web
antiviruses and attack via tables corruption in MySQL. Which I wrote in
September and in April accordingly. These topics should be interesting for
you (especially for those, who haven't read them before).

1. Effective use of cloaking against web antiviruses
http://websecurity.com.ua/5359/

In this article I told more about the cloaking - the way how web antiviruses
became fighting with it and other ways of bypassing them with cloaking. This
is third article in my series about

Submit to WOOT: USENIX Workshop on OffensiveTechnologies

Elie Bursztein — 2012-05-04T05:25:50

Hi everyone,

WOOT is the USENIX Workshop on Offensive Technologies and this year
will focus on the future of web exploitation and HTTPS security.

One of the specificity of WOOT is that it is meant to be a a bridge
between the industry and the academic world which always give rise to
interesting discussion :)

So if you just gave a cool talk at BSide or got something interesting
planned for Black Hat or DEFCON, it is exactly the type of work we'd
like to see submitted to WOOT.

Don't be shy, it will be a very fun workshop ! The WOOT call of paper
is available here: http://ow.ly/aH1X0

--
Elie
http://elie.im - Twitter: < at >elie

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Re: CRLF Injection - HTTP Response Splitting

Mon — 2012-05-03T08:51:43

Hi Tanuj,

Thanks for your reply. I tried with a larger string
(%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a,
%0d%0a%0d%0a%0d%0a%0d%0a%20%0d%0a%0d%0a%0d%0a%0d%0a, etc.)

The response doesn't split and %0d%0a appear as printable characters in the
output.

Location:
https://domain.org/path/res.asp?https=redirect&key1=value1&key2=value2&key3=value3%0d%0a%0d%0a%0d%0a%0d%0a%20%0d%0a%0d%0a%0d%0a%0d%0aContent-Length:%200

%0d%0a encoding for CRLF doesnt seem to work, hence, I was trying different
encodings.

Br,
--
m0n


On Wed, May 2, 2012 at 5:01 PM, Tanuj Pathak <Tanuj.Pathak< at >mphasis.com>wrote:

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Abusing Password Managers with XSS

mastah yeti — 2012-04-30T16:30:35

New post on abusing password managers with Cross-Site Scripting.
http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

nullcon Delhi 2012 Call for Paper/Call for Event

nullcon — 2012-04-29T15:32:15

Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the  Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides opportunities to innovative companies to showcase their
latest and new technology/products to the nullcon audience. The main aim
behind Prototype is to enable and boost companies driving innovation in
security domain and provide them a perfect platform to boast about their new
technology and at the same time grab the attention of potential investors
and business partners at minimal cost. For more details about the event, its
costing and how your organization can participate kindly contact:
info_at_nullcon.net

Categories:
—————

The talk time duration includes tim

OWASP 2012 Online Competition

Ivan Buetler — 2012-04-29T19:15:30

Dear security experts,

Hacking-Lab is proud to announce the upcoming online OWASP 2012 hands-on
competition about web security issues. The competition will start next
Tuesday (May 1 2012) and ends June 17th, 2012. It's all about web
security, including the Greece Hackademics challenges plus some advanced
Hacking-Lab challenges. The winner will gain a free ticket to either the
OWASP AppSec EU conference in Athens or AppSec US. 

Winner Selection Criteria
a) how many points you receive (complete)
b) how complete your solutions are (quality)
c) how fast you are completing the challenges (time)
d) creativity, unseen solutions, geek factor

The OWASP GEC (Global Education Committee) and Hacking-Lab have the
right to select the winner in case of identical a) to d) levels. OWASP
teachers, Hacking-Lab volunteers, Compass Security Switzerland staff are
not allowed to play. Sorry for that, folks.

Checkout the upcoming "OWASP 2012 Online Competition" here
* https://www.hacking-lab.com/events/

Train your Brain - Expl

Oracle Padding and Exploitation

Daniel "unicornFurnace" Crowley — 2012-04-28T06:20:53

First off, my anal retentive side simply *MUST* correct you: It's
"padding oracle".

An "oracle" is a system which provides answers to specific types of
questions. In cryptography, there is a concept of "padding", extra
data appended to the unencrypted message to satisfy the length
requirements of a block cipher, which requires that data it is
encrypting is to be of a certain length.

A padding oracle normally only will reveal if an encrypted message,
when decrypted, is properly padded.

Vaudenay presented at EUROCRYPT that with PKCS#5 padding, a padding
oracle can actually be used as a decryption oracle, given the ability
to make lots of submissions to the padding oracle. This allows us to
decrypt arbitrary data using a padding oracle.

Thai Duong and Juliano Rizzo applied this theoretical attack in a
practical way: against Web applications. They also presented a way of
using padding oracles as encryption oracles, allowing encryption of
arbitrary data.

The ASP.NET framework not only had padding oracle flaw

CRLF Injection - HTTP Response Splitting

Mon — 2012-04-30T12:32:00

Hi all,

May be this a very stupid question, however, after many unsuccessful
attempts, I would appreciate your assistance.

In testing a web application, I found that on sending the following request
header:

GET /path/path-contd/resource.asp?key1=value1&key2=value2&key3=value3
HTTP/1.1
....


I got the the following response header:

HTTP/1.1 302 Found
Date: xxxx
Server: xxxx
Location: https://
<full-domain>/path/path-contd/resource.asp?https=redirect&key1=value1&key2=value2&key3=value3
....

I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response
Splitting, however, the input was always output to the response header as
text and the injected CRLF (%0d%0a) was never executed. I tried:

1. double url encoding: %250d%250a
2. encoding the attack vector to unicode 16-bit
3. injecting %0d%0a (and double encoded value) in value1 instead
4. injecting %0d%0a (and double encoded value) in value2 instead

Am I missing something trivial or any other attack vector to bypass CRLF
Injection protection/filt

CIntruder v0.2 released

psy — 2012-04-26T23:18:29

Hi list,

There is released a new version of *CIntruder* (v0.2) - the captcha intruder

Take a look to the CIntruder website to see new features implemented:

http://cintruder.sf.net

You can download original code directly from here:

http://sourceforge.net/projects/cintruder/files/cintruder_v0.2.0.tar.gz/download

Or update your copy from the CIntruder repository:

http://sourceforge.net/p/cintruder/code/

Now there is modularity on OCR process, you can handle CIntruder with
another tool, to perform automatic test on forms that have a captcha,
and interact with an online distributed dictionary.

http://cintruder.sf.net/cinet

I hope that you enjoy it!! :D

psy.

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity< at >lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecur