Archive for the PHP Category

I was checking the Planet WebSec feed this morning (BTW, Christ1an must have something personal against me, as he told me he was about to add my blog one month ago…)

Latest post was this “So you think you’re a hacker?” by Gareth Heyes, which in turn tracked back to this “7 minutes to kill a monster” by my friend Eduardo Vela, AKA Sirdarckcat.

Both were about a sort of (un?)official challenge to find XSS vectors capable of bypassing the famous PHPIDS tool, a game both Sirdarckcat and I already found quite funny in the beginning of past July and, according to Mario Heiderich, helped him in hardening his PHPIDS filters.

At any rate, Sirdarckcat’s post ended like this:

I’m sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors

Wow, so there’s a party and sounds like I’m officially invited ;)

OK, let’s bring in some beer:

  1. a=eval,b=(name);a(b)
  2. a=open,b=(name);a(b)
  3. a=setTimeout,b=(name);a(b)

Notice that — quite obviously — you will need to disable NoScript (or at least disable its anti-XSS protection and allow both hackademix.org and php-ids.org), if you want to get some joy from the links above.

Cheers :)

Bad Behavior has blocked 7402 access attempts in the last 7 days.