Archiv verlassen und diese Seite im Standarddesign anzeigen : Question on internview with SirDarckCat

04.09.2007, 20:30
Specifically with his injection of
a=0||'ev'+'al',b=0||1[a]('loca' + 'tion.hash'),c=0||'sub'+'str',1[a](b[c](1));

For the most part, i think I see what he's doing here, but, as an app programmer, I'm trying to figure out how this could be used in an exploit. I'm hoping someone else here more experienced can enlighten me.

It would seem that to use it in an exploit, the attacker would either have to be able to inject it inside of some other javascript (ie the app is inserting the user-supplied data into some pre-existing javascript), or enclose it within script tags. In either case, i would think that if the attacker can do that, they probably dont have to do anything this elaborate.

Or was this simply an exercise in evading phpids's filters?

05.09.2007, 14:52
This vector definitely goes inside some javascript. As you said, this could be used either inside the script tags, event handlers etc. And yes, this vector was also also an attempt to test how IDS performed against these injections.

05.09.2007, 21:49
Hi, welcome to the forum!

Or was this simply an exercise in evading phpids's filters?

Yes it was - but if you watch the source of many actual exploits you can see advanced obfuscation techniques either - so the PHPIDS must be prepared for those kind of attacks. Also there are dozens of JS obfuscators available out there - which do not perform that complex obfuscating but sometimes quite similar...

Nevertheless the work kishor, SirDarckCat, Garteh, Giorgio, Martin and others are doing can't be automated that easily and is pretty unique!