- a beautiful place

XSS Cheat Sheet: two stage payloads

June 27, 2007 at 12:34 am - Filed under aa, bb - 2093 words, reading time ~6 minutes - Permalink - Comments

When exploiting XSS holes often you find yourself working around size/length and characters limitations. To avoid this type of problems a technique called "two stage payloads" comes to help. It's generally used when exploiting memory management vulnerabilities but applies to the XSS world too. The very basic idea is to have the payload divided in two parts: one that has to be injected in the entry point (PAY_ENTRY) and one that contains the actual data (PAY_DATA).

XSS Cheat Sheet: the PLAINTEXT tag

June 10, 2007 at 10:21 pm - Filed under aa, bb - 775 words, reading time ~2 minutes - Permalink - Comments

When performing XSS attacks often happens that the payload is displayed, and executed, multiple times occurring in unwanted and unexpected behaviors. This can be avoided in many ways, for example using global variables in JS (eg: window['started'] = true;) and checking for the variable existence at the very beginning of the payload, but when the filters are crazy and every char requires a notable effort (or when you are just hurry) one cheat gets the job done: the <PLAINTEXT> tag.

Linuxpersec2 a Verona (16/17 Giugno)

June 10, 2007 at 3:57 pm - Filed under aa, bb - 436 words, reading time ~1 minutes - Permalink - Comments

Sabato 17 Giugno a Verona presso l'Itis G. Marconi (Piazzale Guardini 1) si terra' Linuxpersec2 (Conosciamo altri modi... per proteggerlo!) con vari interventi sulla Sicurezza personale e Linux. La manifestazione e' gratuita e ovviamente siete tutti invitati :D

Install Firefox XPI without whitelist

June 4, 2007 at 4:50 pm - Filed under aa, bb - 824 words, reading time ~2 minutes - Permalink - Comments

Today I was reading Firefox XPI Install Prevention Bypass ( and while it's not what it promised to be (there is no Install Prevention Bypass) it contained useful informations that helped me elaborate two distinct thoughts.

Firefox <= DOM Keylogger (bypass same-origin policy)

June 3, 2007 at 9:20 pm - Filed under aa, bb - 542 words, reading time ~1 minutes - Permalink - Comments

On 30 May Mozilla Foundation announced in its MFSA (Mozilla Foundation Security Advisory) 2007-16 a bug discovered by moz_bug_r_a4 able to bypass the same-origin policy using the addEventListener helper. Needless to say you can do really nasty things by exploiting this hole, ranging from xss attacks to keystrokes logging, with no same origin limitation. If you are impatient jump directly to the demo DOM Event Keylogger.

Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network