MonkeHacks #27

I’m back in Scotland now! I spent a lot of time optimising my bounty flow to be more tax-efficient (less tax means less bounties needed to support myself!). So I did quite a bit of reading for this purpose. I set up my company officially.

I spent a few days in Dublin to meet my friend from France. It was fun! He’s a Freemason, so we went to the Freemason Hall in Dublin for a tour, which was pretty cool. The vibes of the place are a bit cultish, but it was cool.

The Fringe festival is in full swing, so Edinburgh is absolutely packed with people. I try to stay out of the city centre.

Gadget of the Week

This week’s Gadget of the Week is the newline (%0A). I often see cases where reflected HTML and Javascript contexts will reject a lot of XSS characters but accept newline characters, which do render in the DOM. This isn’t a vulnerability, but it’s a good litmus test for checking the robustness of input sanitisation on the page. This works well with backslashes as well - sometimes backslashes can trigger errors in a similar way. Keep your eyes peeled.

Weekly Ideas / Notes 

• People don’t seem to understand how to use Shazzer. So, I’ll break it down simply.

  • Let’s assume that you can control a source where you can specify the src of an iframe element. So, I can do <iframe src=”<INJECTION>”></iframe>. But, the WAF blocks javascript:! So you can’t seem to get XSS here.

  • Now we simply ask: what characters are valid in this situation, such that we can try to fool the WAF? This is where Shazzer comes in.

  • So we look for something like HTML entities inside JavaScript URL before colon, because the WAF is looking for the entire “javascript” string in one piece. So if we can break this string up but retain the functionality of this protocol, we can pop this XSS.

  • This gives us three results: :, 
 and 	 . So, let’s try them out like this: javas	cript:alert(1).

  • And boom, the WAF is bypassed. This general idea of “what can I do in this situation?” is the core of the matter here - this is what Shazzer is designed to answer. Shazzer also allows you to conduct your own fuzzing tests to find answers to these questions, and to share your results with everyone else. Credit goes to Gareth Heyes for masterminding Shazzer.

• I made a ton of progress on my ongoing research. Nothing is quite vulnerable yet but I have a lot of interesting behaviours that are completely unexpected. That’s where the fun usually starts in security research. Now to turn these into bugs!

• The next round of the Ambassador World Cup is starting soon. I can’t participate, because I moved country in the middle of it, but best of luck to all of the competing hackers!

Resources

• Phrack 71: Are you a hacker? Yes? Read this magazine. It doesn’t publish new issues very often. Once every 1-4 years, on average.

• SQL Injection Isn’t Dead: Smuggling at the binary protocol level across various database engines.

• Gotta Cache ‘Em All: bending the rules of web cache exploitation: this research, while in the shadow of James Kettle and Gareth Heyes, is still very cool! It looks at different delimiters for web cache vulnerabilities - a neat edge case of this bug. It’s not always a full stop.