Tag Archives: exploit

Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings :) , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page :)

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day đŸ˜› ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome :)

File Inclusions with SQL.

Last time I posted something technical was about SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?
Continue reading

Browser history cache

Let’s say you want to get data from a box but there’s no shell (remember “Where there is a shell, there is a way-Unix” :) ) or there is no alternative option to collect information about a user. Well, there is, now you have this.

This is a proof-of-concept code by Zalewski, a Google Security Researcher

Comments:
I tried it and worked both in Opera and Chrome, Firefox with NoScript add on failed (obvious). Firefox without NoScript worked well enough.

Hopefully, I’ll comment more about this exploit sometime later :)

Have fun reading the PoC code :)