--- layout: post status: publish published: true title: Some evil stuff from sla.ckers wordpress_id: 264 wordpress_url: http://pro.grammatic.org/post-some-evil-stuff-from-slackers-36.aspx date: !binary |- MjAwNy0wNy0wNSAxMzowNTo1NSArMDIwMA== date_gmt: !binary |- MjAwNy0wNy0wNSAxMzowNTo1NSArMDIwMA== categories: - Technology - InfoSec tags: - information security - XSS comments: [] ---

There's such a wealth of new XSS vectors coming out of the work on phpids that I couldn't resist sharing a few of the tastier morsels here. The original thread is over at sla.ckers if you want to read it there!

SirDarckCat brings us:

{% highlight javascript %} http://domain.org/?test=a%3D0%7C%7Ceval%7C%7C0%3Bb%3D0%7C%7Cunescape%7C%7C0%3Ba%28b%28location%29%29#%0d%0aalert%28%22xss%22%29%3B {% endhighlight %}

which corresponds to

{% highlight javascript %} a=0||eval||0;b=0||unescape||0;a(b(location)) {% endhighlight %}

So how the heck is this vector working? The statement formed at the end of the line reads: eval(unescape(location))

Eval executes whatever is inside it; unescape removes url encoded chars; but this means that the LOCATION is being evaluated. ma1 explains how this vector works (hint, it is to do with the newline chars in the url!)

http: - parsed as a valid ECMA262 label

//host:port/path/...#...[newline] - C++ style comment opener

yourPayloadHere() - :D

Now that is evil!

A further vector along the same lines which was originally provided by SirDarckCat and further obfuscated by myself (so modest I know - well, I thought I'd better contribute something original to this post!) is this little piece of trickery:

{% highlight javascript %} a=0||'ev'+'al',b=0||1[a]('loca' + 'tion.hash'),c=0||'sub'+'str',1[a](b[c](1)); {% endhighlight %}

The workings require a little explanation...

a is loaded with the eval statement that has been concatenated from 2 parts. b is loaded with an eval [a] of location.hash, again formed from 2joined strings. c is loaded with substr and then all 3 are pieced together to give: eval(location.hash.substr(1)) - so anything after the fragment identifier in the url will be executed as a payload.

Seriously interesting stuff guys - and keeping us busy over at the IDS!