RSnake's Vulnerability Lab


Strange... very strange...


These are things I am working on, or just... whatever... it's odd and it feels exploitable or interesting in a bad way. I don't care if these aren't directly exploitable, it's just things that have been bothering me or keep my brain working at nights. What happens to you or your machine when you try these is your own doing, I don't recommend doing any of these things on yourself or others. And if you're too stupid to read the text before you click on the link to understand what is about to happen to you, you probably deserve whatever is coming to you.
  • Gravatar email address brute forcer in JS space will force your users to brute force other people's email address for you.
  • Jeremiah's Safari autofill vulnerability will attempt to steal information out of your autofill but it's only tuned to work with Safari...
  • CSS History Hack In Firefox Without JavaScript for Intranet Portscanning (now down) allows attackers to see what ports are open behind the firewall in Firefox.
  • SMBenum allows attacker to enumerate local files via Internet Explorer.
  • Firefox XHR "ping" sweeper using cross domain XMLHTTPRequest. Only works in FF 3.5 and later.
  • Chrome header redirection in view-source (now down - fixed) Only works in Chrome.
  • DNS Rebinding server. Super simple example DNS Rebinding server code.
  • Slowloris Apache HTTP DoS.
  • Clickjacking demo code (now down) this example code is highly flexible and will allow you to clickjack virtually anything.
  • Denial of service using onblur causes an infinite loop of popups if you have JavaScript turned on even despite the recursion detection/prevention in Firefox. This appears to work less well in Vista than XP.
  • Res Timing File Enumeration Without JavaScript (now down) - enumerates files on your file system using IE7.0.
  • Proxy detection detects the presence of some proxies (like mod_proxy) in Firefox using forceful browsing, CSS history and error creation on the proxies using the %-- trick.
  • Tor de-anonymization requires Java and JavaScript to work, but shows the real IP address of users using Tor in Firefox.
  • Firefox SSL spoofing spoofs the lock using an .ico file.
  • Firefox LocalRodeo detection uses both an onerror and onload event handler with an image pointing to localhost to detect if it is installed or not.
  • Firefox header redirection allows JavaScript execution (try this in Firefox only).
  • CSS history hack without JavaScript uses conditional logic built into CSS to steal browser history without a single line of JavaScript. Boom!
  • Detect Google Desktop pulls a standard image from 127.0.0.1:4664 and if it's there the user has Google Desktop installed, if not, it's not turned on or isn't there.
  • Adblockplus work around detects if a string is set by Overture, and if so it doesn't attempt to do anything (since the banner is there). If it's not set, it uses the IP address of Overture which isn't blocked.
  • ISO-8895-1 nulls in Firefox This won't look like much to the naked eye or if you view source, but in Firefox this will render. In the absense of a real header (it should read 8859 not 8895) it attempts to figure out what you mean and after seeing the Byte Order Mark it guesses that it should be UTF-16BE. Click here to see what the source looks like.
  • Detecting IE7.0 small function to detect if you are using IE7.0 or not. It detects one of the small buttons in IE7.0 using the res:// handler.
  • Mhtml Internet Explorer 7.0 hang One too many redirects causes MSIE 7.0 to hang.
  • Mhtml Internet Explorer 7.0 Hack This demonstrates a vulnerability in Internet Explorer 7.0 and how it combines with Outlook. Using an mhtml redirect to another redirect to the target you can view the source accross domains. There are some issues in how it works, like requring at least one double link break but beyond that it is pretty effective at breaking the cross domain policy. The example I'm including allows you to read the user's email address and real address from Google.
  • Firefox Save Page As bug This demonstrates how the Firefox save page "complete" can be used to initiate a hidden vulnerability based simply on image detection. As if I had to tell you not to save HTML and run it from your computer, here's another reason.
  • Iframe HTTP Ping This shows that in Firefox you can use the onload event handler with an iframe to detect if the page is up or not.
  • Follow mouse proves that you can force a click in a browser by tricking the user into clicking another link, but really sending a click event through an iframe. I'm not trying to hide what I'm doing but this could easily be used to hijack clicks on banner ads.
  • Search Status SEO Firefox plugin detector used to detect other SEO experts, which can then make them do other things, or see different results or can even overwrite their CSS definition to think there is no rel=nofollow on the page.
  • CSS history hack to know where you've been (only works in Firefox at the moment).
  • Adobe Acrobat Reader Local XSS ExploitThis is a QTL file (a quicktime format) that loads in a local file (which is normally not visible to Firefox) as an inline Acrobat file, with an anchor tag that loads in a JavaScript directive that runs in local context. Clear as mud? This spawned a number of articles and Adobe issued a patch because it does allow you to compromise a machine running an unpatched Firefox or Opera install.
  • Timing attack using JavaScript a way to detect different states of a page using JavaScript timer (only works if pages are sizably different when logged in or logged out, for instance).
  • UTF 16 encoded webpage This won't look like much to the naked eye or if you view source, but trust me, it's very weird.
  • JavaScript login checker your milage may vary depending on the most recent layout of the login pages in question, but works in Firefox
  • De-anonymize Proxyline users in Internet Explorer This is a way to de-anonymize people using proxyline by injecting a null, which only works in Internet Explorer but bypasses the proxyline code.
  • STX Firefox issue click here and then view source in Firefox, it completely messes up the source (at least in Firefox 1.x and 2.0 - fixed in 3.0).
  • Privoxy test 2 different way to detect if privoxy is installed from below using Firefox by testing the color of a custom style that is only included if you have Privoxy turned on.
  • Privoxy test checks to see if the Privoxy chrome is called in an image and then errors out if if doesn't find it. It uses the technique from the firefox extentions test below.
  • Detect Firefox extentions uses chrome inside images to detect if you have certain plugins installed. This is out of date now, I think other people have expanded on my idea since this time, but the point is the same.
  • Using shdoclc.dll to check for Internet Explorer Internet Explorer exposes a few images that allow you to see if the browser is in fact Internet Explorer regardless of things like User-Agent spoofing.
  • Internet Explorer Persistance Isn't it nice to be able to store stuff in Internet Explorer that is outside of cookie space?
  • Variable Width Encoding Only works for Internet Explorer, but there are a number of variable width encoding techniques out there. This is just one of them. I'm still very much working on this one.
  • IE Sidebar Death Star I've played with this off and on for over a year. Before SP2 came out this was definitely going to work as an exploit, but now it requires human interaction and there are more stringent restrictions on the placement of popups. Anyway, it feels exploitable.
  • mailto: memory exhaustion? I get the feeling like this could cause a machine or at minimum a mail client/browser to crash due to memory exhaustion. Certaily it could cause you to close your mail client. It's just so buggy, it's difficult to tell what's causing the majority of the issues (the browser, the mail client or the embedded editor), and I get a mixed bag of results on machines. This will probably crash something when you click it, so be warned. It also requires that you have an associated mail client attached to the mailto: directive.
  • stack overflow in JavaScript on Internet Explorer? Not sure how this is a practical problem or even if it is a problem at all... I came across this building my XSS fuzzer - only works in Microsoft IE 6.0.
  • Open a Firefox window and enter this into the URI window: chrome://browser/content/browser.xul then do it in the newly spawned sub-window again and so on... seems to crash FireFox via memory exhaustion or something (CPU pegs at 100% for a while)... Not sure what to do about this one exactly...
  • View source on this bad boy. Text obfuscation at it's finest. Whenever someone says they know HTML I throw this at them (the source first) and ask them to tell me what it says. Just because you can build a webpage doesn't mean you know HTML. It also points out why regular expressions are almost useless for finding obfuscated text (this is relevant to anti-spam engines and of course the Turing halting problem in general).
  • A page can cause physical damage to a certain percentage of users. Taken from the Web Content Accessability Guidelines: "A flickering or flashing screen may cause seizures in users with photosensitive epilepsy and content developers should thus avoid causing the screen to flicker. Seizures can be triggered by flickering or flashing in the 4 to 59 flashes per second (Hertz) range with a peak sensitivity at 20 flashes per second as well as quick changes from dark to light (like strobe lights)." I don't know about you but the concept of physically harming someone with a website is a very interesting and scary attack. DoS at at the zero-ith OSI layer - the human layer.
  • XSS to attack hardware... I think we finished this one. Woot!


Written in vim, W3C valid and UTF-8 encoded, for her pleasure.
All rights reserved, all wrongs observed.
© 2001-2014 RSnake