Tag Archives: web

Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings 🙂 , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page 🙂

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day 😛 ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome 🙂

File Inclusions with SQL.

Last time I posted something technical was about SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?
Continue reading

SQL Cheatsheets

I suppose you have already read this .

When I was writing the post “SQL injections” I mentioned that I didn’t know some MsSQL reserved words. This time I have some cheatsheets mostly from darkc0de but you can find everything on the web too. Remember “A dumb asks questions, a smart asks google first” 🙂 Continue reading

SQL injections

Databases are pieces of software that allow massive storage of data in a structured-by-the-developer order. All this data can be easily accessed using SQL language. The data can be anything, from text, personal identification number, credit card numbers or even files in certain cases. The success of those databases is that anyone with the proper authorization can access the data both fast and easily. The access is achieved by SQL. SQL stands for Structured Query Language. Continue reading