Tuesday, December 31, 2019

Reading List - 2018

Should have published this several months ago but better late than never. Pretty light this time around; was dealing with other matters. That said, I really enjoyed all of these.

Books

Sunday, December 31, 2017

Reading List - 2017

Books

Sunday, July 23, 2017

True Tales of XSS: Function Hoisting

A simplified version of the code:
<script>
func().val('<?php echo htmlspecialchars($input, ENT_COMPAT, 'UTF-8'); ?>');
</script>
Overview: user-supplied $input is echoed into a JavaScript context after having HTML entities encoded. The func() JavaScript function is undefined, causing an exception and halting execution before any injected payload can be executed. We can't inject additional script tags due to the HTML encoding, so an XSS vector isn't immediately apparent.

But it's there.

To gain execution, we'll need to make sure func() is defined. We'll use a JavaScript feature called function hoisting. Hoisting allows a function to be defined after it's been used. The JavaScript interpreter will look ahead for an appropriate function definition and "hoist" it up in the code, so the function call can execute correctly.

We'll use the following payload:
'); function func() {payload}; //
In this payload, we'll finish the val() call, supplying an empty string. Next, we'll provide a definition of func() for the interpreter to hoist. We can insert our payload into func()'s definition and let the original call execute it. Lastly, we'll comment out the trailing "');" that's been left over from the original code.

Now the func() function is defined and will execute with our injected payload. You read a bit more about hoisting here and here.

Stay beautiful, XSS Rangers.

Friday, April 21, 2017

Reading List - 2016

Books

Web Application Hacker's Handbook deserves a special mention, as I'd used it as a reference but never gave it the attention it deserves. Although it's a bit older, it's still a solid introduction to web application testing, and does a good job of balancing breath and depth. Especially recommended for developers looking to learn more about webapp security and methodologies.

Saturday, March 25, 2017

True Tales of XSS: jQuery's text() Function

A simplified version of the code:
<div id="foo">
<?php echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8'); ?>
</div>

<script>
var bar = $('#foo').text();
$('#foo').html('<b>' + bar + '</b>');
</script>

Overview: user-supplied $input is echoed after having HTML entities encoded. Next, it's read by jQuery's text(), some decorative tags are added, and written back with html(). Although there's usually little reason to do this in jQuery, it doesn't appear to be vulnerable to XSS.

And yet, it is.

1. We feed a standard XSS test to $input:
<script>alert(1);</script>
2. The $input is encoded with htmlspecialchars(), effectively preventing our XSS from functioning:
 &lt;script&gt;alert(1);&lt;/script&gt;
 3. Our encoded $input is read by jQuery's text() method, which should remove tags and only return the text contents of HTML elements. So, at this point, we could assume our $input would still be:
&lt;script&gt;alert(1);&lt;/script&gt;
Or, if it also removes encoded tags, possibly:
alert(1);
However, text() actually decodes HTML entities and will happily return valid HTML, restoring our $input to its original state:
<script>alert(1);</script>
4. Decorative formatting tags are added to the $input:
<b><script>alert(1);</script></b>
5. The $input is written back to the page with html(), which will also execute our script tag and launch our test payload.

So, keep an eye out for the next time you see text() handling user input, XSS Rangers.

Sunday, January 29, 2017

Flora and Neopixel Ring Quickstart Guide

To celebrate Micro Center carrying Adafruit products, I picked up a Flora V3 and a NeoPixel Ring. Here's a quick guide for making the Flora light that Ring up.

Note: you'll need a micro-B USB cable and some wires. Most of this guide should also work for the NeoPixel strips but your wiring will differ a bit.

Get the Arduino IDE
If you don't already have it, get the Arduino IDE. Download the most recent version of the IDE from the Arduino website and follow the installation instructions (links: Linux, Windows, Mac).

Add Flora Support
Follow the steps to add the Adafruit Board Support package, which will let us use the Flora. Then follow Adafruit's OS-specific instructions (links: Linux, Windows, Mac).

I used IDE version 1.8.1 on Ubuntu 16.04 LTS. As mentioned in the Linux instructions linked above, I also had to add udev rules to make everything jive.

Add NeoPixel Support
Next, you'll need to add the Adafruit NeoPixel library. This will let us use the Flora's on-board NeoPixel as well as the Ring. The easiest way is via the IDE's Library Manager.

You can do this by navigating to "Sketch," then "Include Library," then "Manage Libraries." Search for "neopixel" and install the "Adafruit NeoPixel" library.

Verify Your Setup Works
Verify your Flora + NeoPixel setup by blinking the Flora's onboard NeoPixel.

Save the linked demo code in your current sketch. Under the "Tools" menu, ensure "Board" is set to "Adafruit Flora" and the correct "Port" is selected (mine was /dev/ttyACM0).

Under the "Sketch" menu, select "Verify/Compile," which should complete without errors. Then select "Upload" to push the code to your Flora.

Once it finishes, your Flora should put on a small light show.

Wire Up Your Ring
Now we're ready to wire the Ring to the Flora. I'm lazy, so I used alligator clips. If you're going to go this route, you'll probably want to solder small leads onto the Ring, as it can be a bit difficult to get a solid connection with the clips.

You'll want to connect the Flora's "3.3V" to the Ring's "PWR," the Flora's "GND" to the Ring's "GND," and the Flora's "#9" to the Ring's "IN."


Light Up The Ring

Now we can modify the demo code to use the Ring. We'll need to tell it that we have more LEDs and we're now using the #9 pin. Change the PIN constant from 8 to 9. Change the first parameter of "Adafruit_NeoPixel" from 1 to 12 (or however many LEDs your Ring contains). That's it.
#include <Adafruit_NeoPixel.h>
#define PIN 9
Adafruit_NeoPixel strip = Adafruit_NeoPixel(12, PIN, NEO_GRB + NEO_KHZ800);
As before, "Verify/Compile" then "Upload." The light show should be a bit better now.

That Was Too Easy
Check out the NeoPixel library reference.

Here's some neat projects that use these things. Check out their code to get more ideas:

Monday, May 30, 2016

Reading List - 2015

A little light on the technical books this year but I tried to focus my efforts on a worthwhile periodical instead.

Books

Bonus Level