terjanq issues

Results 11 issues of


                                            terjanq

Useful tool

Hello, I've made this tool (http://diephack.tk/tools/analyse.php) when I was decoding agar.io protocol, it's kinda useful. You can download whole folder here: https://dl.dropboxusercontent.com/u/22342617/analyse.tar.gz There is sniffws.js and sniffws.user.js (Tampermonkey compability) files...

Add more examples of utilising Frame Counting

* change in frames could be used to detect browser's error pages * first iframe appearance could be a nice indicator when the page loaded most of its components https://twitter.com/garethheyes/status/1335194323693019136

improvement

Rule 942200 triggers a substantial number of false positives.

### Description Not sure what rule [942200](https://github.com/coreruleset/coreruleset/blob/fc827de163a2b41608cb70078e1b5324c5bd35cd/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L743) is supposed to do exactly (as it's not docummented nor has tests), but it yields a lot false-positives. For example, the simple payload...

:heavy_plus_sign: False Positive

:bomb: sqli

Hints in Contribution section

Looks like hint boxes in [Contribution](https://xsleaks.dev/docs/contributions/) section are broken. ![image](https://user-images.githubusercontent.com/11320896/221372431-539cd99c-af8b-4ec3-86ab-cf006ae9fa19.png)

bug

Fix hintbox for CSS tricks

Hintbox in CSS tricks doesn't render properly. Additional language improvements.

Snow can be bypassed with inline script

```js var url = URL.createObjectURL(new Blob(['alert(window.origin)'])) var x = document.createElement('iframe'); x.srcdoc = `` document.body.appendChild(x); ```

Snow can be bypassed with native Prototype Pollution

## PoC: ```js // get the original ArrayIterator.prototype.next method var next = [].values().__proto__.next; // overwrite the method [].values().__proto__.next = function(){ var x = next.call(this); var win = x?.value; // leak...

Snow can by bypassed with polluting NodeList.prototype.length

PoC: ```js Object.defineProperty(NodeList.prototype, 'length', {value:0}); document.body.innerHTML = ''; iframe.alert(1337); ``` Vulnerable path: 1. `getFramesArray` called in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/inserters.js#L29 2. `slice()` called on the results from `querySelectorAll` in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/utils.js#L111-L113 produces an empty...

Snow can be bypassed with opener.alert()

It is possible to enable access to `opener` in various ways, e.g. opening two popups and using `opener` attribute on snow to perform the following: ```js // from: snow.playground opener.location...

Blob validation in Snow can be bypassed with native object copy

```js var url = URL.createObjectURL(new Blob(['alert(origin)'])); onmessage = e => location = URL.createObjectURL(e.data); postMessage(new Blob([``], {type:'text/html'})); ``` `postMessage(blob)` will trigger a native object copy which will strip the custom properties...