wafful.org - Web Security Blog

New browser detection only with HTML 2.0 without any JavaScript/CSS hacks.

HTML 2.0 - Browser detection [3]

It can detect firefox2.0, firefox1.5, other Gecko engine, and Safari2, Safari3, Opera, ie, w3m, lynx, and other browsers.

HTML Slash Quote 2.0 is a new browser detection without any JavaScript/CSS/Binary.

demo:

Browser detection[2] : HTML Slash Quote 2.0

HTML source

<img
 /''src="firefox.gif"
 /""src="sleipnir_gecko.gif"
   "src="safari.gif"
  ""src="konqueror.gif"
   /src="ie.gif"
    src="opera.gif"
    src="lynx.gif"
>

Example (lynx view)

Bibliography (thanks)

1. http://d.hatena.ne.jp/hoshikuzu/20070925#p1 (in Japanese)
2. http://d.hatena.ne.jp/hasegawayosuke/20070928/p1 (in Japanese)

New browser detection only with HTML 2.0 without any JavaScript/CSS hacks.

Demo:

Browser detection : HTML 2.0 only (demo)

Example

perl -e 'print<<EOF
<img x=` s\x00rc="safari2.gif" ` sr\x00c="ie.gif"
         src\x00="webkit.gif"    src\x0c="opera.gif"
         src="gecko.gif"         src="lynx.gif"   />
EOF'

Recently it was reported that some picture files buried within the attack code of PHP was discovered on the major hosting site.

The RFI attack of PHP code can be buried within GIF, PNG, JPEG, and other picture files.

PHP code in GIF image file (sample)

phpinfo.gif

  

include.php

<h1>PHP/GIF include demo</h1>
<?php
include("./phpinfo.gif");
?>

Result

 

Here we collect links to presentations done in the past or in the future, and their materials (slides, audio and video) if available. Some of them are available only in English while otheres are in Japanese.

ImageFight!   

LL Spirit - Lightning Talks (2007-08-04)

powerpoint

• ImageFight! - introduction of mod_imagefight - 4min version (in Japanese)
  http://wafful.org/mod_imagefight/ImageFight-LL2007.ppt

Abstract

Recently it was reported that some picture files buried within the attack code of PHP was discovered on the major hosting site.

The RFI attack of PHP code can be buried within GIF, PNG, JPEG, and other picture files.

It explains the five methods of fight against the attack code buried under the image files, and think about the safe image uploader.

Download software (source code available)

mod_imagefight

SOURCE

• http://wafful.org/mod_imagefight/

NOTICE

• This is an ALPHA release. 
• DO NOT use production server.

INSTALL

To play with this imagefight module first compile it into a DSO file and install it into Apache’s modules directory by running:

$ apxs -c -i mod_imagefight.c

SETUP

Then activate it in Apache’s httpd.conf file for instance for the URL / in as follows:

# httpd.conf

LoadModule imagefight_module modules/mod_imagefight.so

<Location />
  AddOutputFilterByType ImageFight image/gif image/jpeg image/png image/bmp
# AddOutputFilter ImageFight .png .bmp .gif .jpg .jpeg
</Location>

for DEBUG only (disable browser cache)

# LoadModule headers_module modules/mod_headers.so

<IfModule mod_headers.c>
  RequestHeader unset If-Modified-Since
  RequestHeader unset If-None-Match
  Header unset Last-Modified
  Header unset ETag
</IfModule>

wafful.org is a Yet Another Web Application Firewall Project for mod_imagefight, mod_wafful…

ImageFight!

• mod_imagefight - Apache 2 output filter
• sanitized image files (PNG, BMP, GIF, JPEG) 
• insert anti-RFI/XSS code into the image dynamically
• work around the IE6’s XSS by server side transparently
• download

WAFful

• mod_wafful - Apache 2 input filter
• blocking XSS and SQL injections with white list
• .htaccess
• coming soon…