Date: Sat, 13 Dec 2008 01:19:55 +1030
From: Malformed Guy <malformation@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Bruteforcing HTML and browser-sec to find BoF's


Hello, fellow F.D readers,

There have been a lot of recent IE exploits and talk of "browser-sec" floating around recently and I thought "Hey, what if you made a script that actually bruteforced html?" For example a script that spews out possible combinations of HTML/ASP/JAVASCRIPT/JAVA/SQL/PHP:

<html><h\ntml><ht\nml> 

<h\ntml><ht\nml> might not neccessarily cause anything to happen, let alone are they valid tags, but by bruteforcing, it could cause currently unknown vulnerabilities to appear to the security auditor. This could result in the browser to run into buffer overflow or a similar crash. When a crash is found, the program edits the file and slowly takes note of the current file, and proceeds to delete part of the file till there are no more crashes.  For example:

<html><h\ntml><ht\nml>
would now become 
<html><h\ntml><ht\nml
and subsequently
<html><h\ntml><ht\nm

Idea was inspired by the Samy worm:
http://namb.la/popular/tech.html
"To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's 
java<NEWLINE>script)."

Yours faithfully,
Malformation

P.S. Someone tell me this is an awesome idea, else I'll cry like a little girl.

_________________________________________________________________
It's simple! Sell your car for just $40 at CarPoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists