xmlHttpFingerprint - Remote OS fingerprinting through xmlHttpRequests

Posted by SkyLined on October 31st, 2008 in and · 2 Comments

Dan Crowley recently released a paper (txt, pdf) describing how web servers installed on various Operating Systems (OS) respond differently to certain requests depending on which OS they are installed on. I’ve created a PoC script that will scan a machine using xmlHttpRequest to determine what OS it is running. It’s pretty basic, but proves the technique works well for most systems.

Updated: I added CR/LF OS detection

The script is available here.

Example usage:

H:\dev\xmlHttpFingerprint>xmlHttpFingerprint.cmd skypher.com
*** xmlHttpFingerprint v0.3 (C) 2008 Berend-Jan ”SkyLined” Wever.
    http://skypher.com/SkyLined/download/xmlHttpFingerprint/xmlHttpFingerprint.cmd
*** Based on research by Dan Crowley.
    http://www.x10security.org/appOSfingerprint.txt

*** Testing server skypher.com…
[+] GET ”http://skypher.com” …ok (200 OK).
[+] GET ”http://skypher.com/random 404 0.2375990452056771″ …ok (404 Not Found).
[+] GET ”http://skypher.com/\\\.” …ok (404 Not Found).
[+] GET ”http://skypher.com/../” …ok (400 Bad Request).
[+] GET ”http://skypher.com/nul” …ok (404 Not Found).
[+] GET ”http://skypher.com/%1A” …ok (404 Not Found).
[+] GET ”http://skypher.com/%3F” …ok (404 Not Found).
[+] GET ”http://skypher.com/*/” …ok (404 Not Found).

*** Results:
    Server header        : Aleto HTTPd
    CR/LF fingerprint    : *nix
    Response signature   : 404-404-400-404-404-404-404
    OS Signature matches : 404-404-400-404-404-404-404 100% Apache/nginx, *nix

H:\dev\xmlHttpFingerprint>

Fuzzing Opera browser: how to get rid of the “start-up dialog” after a crash

Posted by SkyLined on October 23rd, 2008 in and · 0 Comments

If you want to automate running Opera to run fuzzers, you’ll find that once you’ve crashed Opera, it does not start as normal the next time you run it. Opera had provided a “start-up dialog” for your convenience that shows up after you’ve crashed it. Also, Opera has a session restore feature that can cause problems when you start Opera using the command-line to open a URL; it will open the pages from the previous session as well. Unfortunately, I was unable to find configuration settings to disabled either one of these features. 

To get around these problems I’ve created a program that will modify the “Opera.ini” file as well as delete the session folder. If you run this program, it will remove all traces of a crash that cause Opera to open the start-up dialog and restore the previous session. After running it, you can start Opera as usual.

On the off chance that you’ve encountered this problem, I’ve made the program available here. The program is called “dirtyOperaHack.cmd”. It is a chimera file; part JavaScript, part batch-file. I’ve also included the individual source files from which it was created for your convenience. You can run “make.cmd” to create ”dirtyOperaHack.cmd” from the individual source files.

String concatenation vs. Array joins

Posted by Cipher on September 30th, 2008 in and · 0 Comments

I’ve read several websites which claim that string concatenation is outperformed by array joining in PHP. I know from firsthand that this certainly is a fact in ASP. And it’s considered a ‘best practice’ in Javascript and probably several other languages. But PHP has always been a bit different on some parts, so I decided to test this and came to some interesting conclusions.

The following tests were performed 50 times with PHP 5.2.6.

First I tested the following pieces of code for parse time, $iConcats was set to 5000:

for($i=0; $i<$iConcats; ++$i)
{
$o .= ‘aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa’;
}

This parsed on avarage in 0.0065 seconds.
Next up was the array equivalent:

for($i=0; $i<$iConcats; ++$i)
{
$a[] = ‘aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa’;
}
$a = join(”, $a);

This parsed on average in about 0.0187 seconds. That’s almost 3 times slower!
I deliberately added the join statement as it completes the comparison. And dor the more visually oriented amongst us, google provides nice graphs:

Who doesn't like pie?

During the measurements I also tracked the memory usage, which had the same outcome, concatenation wins again.

For string concatenation memory usage was ~56Mb. The array version used up ~155Mb. Again the three times! And again, let’s look at some graphs:

And in pie:

So in conclusion (at least for PHP 5.2.6) string concatenation is faster than array joins!

Strings vs Arrays: 2-0.

If you have some test resutls you want to share, please respond below or send me an email, you can reach me at: korneelwever. I’m with the Google mail service ;-).

JavaScript Shell 4.4beta

Posted by SkyLined on September 16th, 2008 in and · 0 Comments

I’ve put a new version of JSSh, my interactive  JavaScript Shell, online at http://jssh.skypher.com. I’ve replace the error handlers and object visualization routines, which should improve your grasp of what’s going on in various browsers. I’m putting the source code for these new routines on my wiki here - I hope you’ll find them useful and I’ll try to do better documentation soon.

YouJukebox

Posted by SkyLined on September 8th, 2008 in and · 2 Comments

If you want to listen to a certain song but don’t have the mp3, you can always look it up on YouTube. With a bit of script this can be made very easy using Google Search and the “I’m feeling lucky” feature.

http://skypher.com/SkyLined/YouJukebox

You just type the artist and song and it’ll play the first hit on YouTube, which is commonly what you want to hear.

Google Chrome released

Posted by SkyLined on September 4th, 2008 in , and · 4 Comments

Finally I can talk about what I’ve been doing since I left Microsoft: I’ve been working on security for Google Chrome; trying to find as many vulnerabilities before we shipped the beta. In the process I’ve found plenty of bugs in other browsers as well :). I’m looking forward to the first real externally found security vulnerability; there have been some reports about crashes but nothing that allows an attacker to completely compromise the machine… we’ll see what happens!

JavaScript stack trace

Posted by SkyLined on August 26th, 2008 in , , and · 0 Comments

I’ve created an example script that outputs a stack dump in JavaScript. It shows all the functions that have been called, their arguments and the values of these arguments. I find it to be very useful while writing complex JavaScripts - I use it in asserts and error handlers to find out why things go wrong quickly. It works in Internet Explorer, FireFox and Safari, but not in Opera.

Available here

Google Enhancements

Posted by Cipher on August 15th, 2008 in , and · 0 Comments

I’ve updated my userscripts for Google with Greasemonkey.

Google Instant Type

I added the Classic homepage to the list where it should add the buttons. I also added a button to search Google News.

Google Own Language

Fixed the layout crash due to Google’s tiny HTML adjustment. Also added support for Google News and Images.

Please feel free to respond if you have a request!

StumbleUpon XSS

Posted by SkyLined on August 12th, 2008 in and · 0 Comments

I discovered a type 1 XSS issue in the StumbleUpon website. Input in the POST form at http://www.stumbleupon.com/delete_account.php was not properly sanitized. I’ve create an example that executed script in the www.stumbleupon.com domain. It shows a popup containing your current username (if you are logged in), the domain and the cookie for the domain. The repro can be found here:
http://skypher.com/SkyLined/Repro/StumbleUpon/XSS%20in%20delete_account.php.html. The StumbleUpon people were very quick to respond and fix the issue. You will notice that the repro no longer works.

XSS bugs in social websites like StumbleUpon are especially dangerous as such websites may allow an attacker to create an XSS worm. An XSS worm is a piece of JavaScript and HTML which uses XSS to post messages on behalf of any user visiting a page that contains the worm. These messages will put the worm code on other pages as well, causing those pages to also start spreading it whenever a victim visits the page. This causes it to spread faster and fast as more and more pages are infected.

ASCII Art

Posted by SkyLined on August 3rd, 2008 in and · 0 Comments

I’ve put some of the ASCII Art I’ve created over the years online here. This includes never before publicly released ASCII Art shellcode.

« Previous Entries