--- layout: post status: publish published: true title: Some evil stuff from sla.ckers wordpress_id: 264 wordpress_url: http://pro.grammatic.org/post-some-evil-stuff-from-slackers-36.aspx date: !binary |- MjAwNy0wNy0wNSAxMzowNTo1NSArMDIwMA== date_gmt: !binary |- MjAwNy0wNy0wNSAxMzowNTo1NSArMDIwMA== categories: - Technology - InfoSec tags: - information security - XSS comments:  ---
There's such a wealth of new XSS vectors coming out of the work on phpids that I couldn't resist sharing a few of the tastier morsels here. The original thread is over at sla.ckers if you want to read it there!
So how the heck is this vector working? The statement formed at the end of the line reads: eval(unescape(location))
Eval executes whatever is inside it; unescape removes url encoded chars; but this means that the LOCATION is being evaluated. ma1 explains how this vector works (hint, it is to do with the newline chars in the url!)
http: - parsed as a valid ECMA262 label
//host:port/path/...#...[newline] - C++ style comment opener
yourPayloadHere() - :D
Now that is evil!
The workings require a little explanation...
a is loaded with the eval statement that has been concatenated from 2 parts. b is loaded with an eval [a] of location.hash, again formed from 2joined strings. c is loaded with substr and then all 3 are pieced together to give: eval(location.hash.substr(1)) - so anything after the fragment identifier in the url will be executed as a payload.
Seriously interesting stuff guys - and keeping us busy over at the IDS!