[Owasp-leaders] Help...

Abraham Aranguren abraham.aranguren at owasp.org
Tue Sep 11 20:42:36 UTC 2012


@Gareth: Didn't we agree you would stop sharing 0-days just like that? :)

+1 to Gareth: A link to shazzer is a must on any XSS filter evasion
cheat sheet
There are many unpatched vulnerabilities there and as new browsers come
up vulnerabilities are found more efficiently than ever before.
For example, using shazzer you could try to find a bypass for a given
xss filter based on a browser version just released the day before.

I would suggest pointing to shazzer in two ways from the filter evasion
cheat sheet:
1) Available public vectors (for quick lookups)
2) Create your own vectors (in case existing bypasses are not useful in
the context of your filter)

In addition to this, hackvertor (another awesome creation by Mr Heyes)
is also handy for encodings, etc and possibly also deserves a mention in
a filter evasion cheatsheet:
https://hackvertor.co.uk/public

My 2 cents,

Abraham

On 09/11/2012 01:42 PM, gaz Heyes wrote:
> On 11 September 2012 11:24, Johanna Curiel <johanna.curiel at owasp.org
> <mailto:johanna.curiel at owasp.org>> wrote:
>
>     this looks like an excellent tool. With this I'll be able to test
>     the vectors in the newest browsers and also check the sucessfull
>     ones. 
>
>
> Shazzer also has a JSON API btw so you can automatically construct
> cheatsheet.
>
> Info:
> http://shazzer.co.uk/json?action=info
>
> Get a list of public vectors:
> http://shazzer.co.uk/json?action=vectorList
>
> Get a specific vector:
> http://shazzer.co.uk/json?action=export&vectorID=203
>
> The JSON includes a template for the vector as well as a PoC url
> [{"vectorTemplate":"\u003cimg src=xxx:xxx title=1*chr*\/onerror=logChr(*num*)\u003e","vector":"\u003cimg src=xxx:xxx title=1%09\/onerror=logChr(1)\u003e","chr":9,.....
>  Any non displayable characters are urlencoding.
>
> You can find all sorts of vulnerabilities from crashes, charset issues
> and DOM xss issues such as recently I found Firefox translates the
> host part of an anchor:
> http://shazzer.co.uk/database/All/Characters-allowed-as-lt-in-url
>
> <a
> href="http://&#xfe64script&#xfe65;alert(1)&#xfe64&#xff0f;script&#xfe65" id=x>test</a>
> <script>
> document.write(x.host);
> </script>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders




More information about the OWASP-Leaders mailing list