I <3 Bots!
Subscribe to the RSS feed

Keyword - JavaScript

Entries feed - Comments feed

Friday, December 5 2008

IE7, no Same Origin Policy when the script/file is on your file system

By Romain on Friday, December 5 2008, 10:45 UTC

It's been such a long time since I haven't posted here. I've been quite busy with the new job at Cigital and all the implication.

Anyway, this morning, a collegue of mine show me a piece of javascript he used for create a request to another website (actually, this was just to do a javascript what I did in Python previously). This totally bugged me. He has been able to craft a request (using XHR) from a local file to a distant website... WTF with SOP? After some tests, it seems it's only working with IE7, but well, I didn't test with many browser, only with Firefox 3, Chrome, IE7.

So, I have no idea if this is known for a long time or not, but well, I haven't seen this before.

A simple POC is available here: xhr_SOP_ie7.html

no comment

Wednesday, August 13 2008

And so you wanted to protect your email address on your website...

By Romain on Wednesday, August 13 2008, 19:43 UTC - Tech

People start thinking of how to prevent spam when they're building website, that's a fact and that's very good indeed. The only problem is when they don't actually know how a bot would handle the HTML page...

For instance, I was surfing on qik.com and saw this little piece of JavaScript in order to protect the exposure of the email address:

<script type="text/javascript">
//<![CDATA[
  document.write('<a href="mailto:XXXX@qik.com"\
    title="Send us an email!">XXXX@qik.com<\/a>');
//]]>
</script>

As the readers of this blog may know, the bot process is really easy.... download the HTML page (crawling) and then trying to extract the email address (parsing). This is just obvious that a bot wouldn't bother with the CDATA tag or because this is embedded in a JavaScript code, if I would have to do a bot, nonetheless I would have a very lossy parsing in order to gather as much information as possible, but I wouldn't care about "in which context am I?". Also, according to some testing I'm doing, I can tell you have if this was a URL, the Google bots would get them...

So please, obfuscate just a bit this... some example can be found on fuckthespam.com

no comment

Monday, December 10 2007

[WASC] Release of Script Mapping Project

By Romain on Monday, December 10 2007, 11:14 UTC - Information

The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3.

The results can be found on the project page: http://www.webappsec.org/projects/scriptmapping/

Project Description:

The purpose of the Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the explicit use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

WASC is actively seeking volunteers from various sections of the community including penetration testers, security researchers, and developers to contribute to this project.

If you would like to be involved with the project or if you have comments about the results, test cases etc., please contact me.

no comment

Wednesday, November 21 2007

The new grabber

By Romain on Wednesday, November 21 2007, 19:32 UTC - Information

Grabber was a nice project. The main goal for me was to learn stuff around web application security/scanners; I didn't really know much before I started this project. But now that I've been playing with web apps scanners for more than 10months, I need to create a new one and go deeper in heuristics, browser integration and AI.

Grabber was in fact more a spider+fuzzer than something else... Not a good web apps scanner at all. Thinking of the analysis engine... It's something kinda stupid, no JavaScript execution, just simple heuristics for parsing and levenstein distances ;)

Anyway, I decided to start over this project. It's not gonna be a bunch of python scripts anymore, I am gonna use Qt/C++ extensively. The idea if this project is to be pen-testers oriented and open, I want to create a kind of wrapper around WebKit (especially using QtWebKit), a spider as core utilities and after, using plugins. The plugins should be either in C++ or JavaScript (QtScript actually). So far, we are 3 guys thinking of this project: we didn't start yet but we are open to every contribution; the project will of course be free and GPL'd.

I just post this in order to get some comments or suggestions about what a web apps scanner should do... Feel free to comment/mail...

no comment

Tuesday, May 1 2007

XUL or extjs?

By Romain on Tuesday, May 1 2007, 09:03 UTC - Discussion

After a project, AK gives a short comparison of this two client-side technologies: http://www.akbkhome.com/blog.php/View/135/XUL_or_extjs.html

Friday, March 30 2007

Firebug: XHR prototype overloading failure

By Romain on Friday, March 30 2007, 12:48 UTC - Tech

I love firebug, this is something really good for developing web apps. But today, I got an issue which was pretty annoying! First of all, when I develop a small apps, I used to do this under firefox only with firebug and other nice extension loaded.
But today I got an issue when I wanted to overload the XMLHttpRequest send function to do other things with: Firebug simply do not allow me to do this, but it works well if I want to overload the 'open' function!

Pretty annoying but you cannot do this with firebug activated:

XMLHttpRequest.prototype.send = function(data) {
    sData = transformation(data);
    this.originalSend(sData);
}

Tuesday, March 27 2007

Obfuscation and Spam Bots: Update

By Romain on Tuesday, March 27 2007, 20:40 UTC - Tech

Sven Vetsch/Disenchant has just send me an email with the Vigenere's version of the obfuscation script. This version is quite cute, but it's true that the public key is not secure enough... let's work on another version with public and private key!.

You can find Disenchant's script here.

Obfuscation and Spam Bots

By Romain on Tuesday, March 27 2007, 11:18 UTC - Tech

Always on the same subject: Spam bots, i was thinking that obfuscation would be a good way to prevent spam bots. Then I first start playing with reverse strings even if it may be obvious for the bots but well, I'm pretty sure it's even more difficult than the previous technique which can almost be passed with an intelligent-but-with-no-javascript-support parser.

So this version is quite simple:

<script>
String.prototype.reverse = function() { return this.split('').reverse().join(''); };
function reverseNames() {
	formElement = document.forms[0].elements;
	for(var i = 0; i < formElement.length; i++)	{
		formElement[i].name = formElement[i].name.reverse();
	}
	formElement.submit();
}
</script>
...
<form method="post" action="check.php" onsubmit="reverseNames()">
	<label for="emanresu">&#8238;emanresu&#8237;</label> <input type="text" name="emanresu" />   <br />

You can find the running example: here.
While talking about obfuscation/crypto, since there are few parameters to obfuscate/encrypt maybe a Vigenere algorithm would be nice...

Note that we do not use the 'username' instance in the HTML page, if you want to print 'username' you can use the character &#8238; which reverses the following text.

Friday, March 23 2007

Prevent spam bots on a phpBB2

By Romain on Friday, March 23 2007, 17:30 UTC - Tech

I used to talk about technique to prevent spam bots for registering or posting somewhere. Even though I think that a good solution for this is to create SessionID with JavaScript, I was a little bit stuck with phpBB2 because of the template engine, I cannot easily dynamically write a JavaScript in the page.

So, the solution I used is to simply create a CAPTCHA which is written in the page with JavaScript such as:

document.write("<input type='hidden' name='persoCaptcha' value='" + generateStaticKeyWord() + "' />");

And then, I had to check for this value in the PHP script.

Fairly simple, but it seems to work without lots of modification of the phpBB2 forum... Here is a list of spam bots that I detected with this technique on a forum. Even if this technique works for now, I will have to use a better one...

Wednesday, February 28 2007

Firefox2 and the Weird JavaScript Events...

By Romain on Wednesday, February 28 2007, 13:47 UTC - Tech

For almost a week, I've been working with zeno, wisec and others on JavaScript events and HTML Tags; what event can be executed in what tag...
The testing is definitely not finished but I was implementing a JavaScript Unit Testing based test bed for keeping everybody out of clicking on 8700 testcases * nb_browsers...

Anyway, the method I use is to fire a JavaScript event on the load of the document to verify if it works (the information are gathering by the JSUnit Framework).
So, the funny part in firefox is that I can fire almost every event in every tag; you can find an example here where I do something like that:

<acronym onsubmit="alert('TEST')">test</acronym>

The equivalent Internet Explorer version can be find here (it works well... ie does nothing).

I didn't really take the time to think about this but I'm sure something can come from this...

Edit: Wisec found that under firefox you can also fire every events on unexisting tags such as:

<unex ondblclick="alert('TEST')">test</unex >

I <3 Bots!