Myspace

Re: Myspace

johnsonsmith1 — Thu, 03 Jan 2008 23:23:52 -0600

I don't think that is possible. All XSS has been patched from profile.myspace.com

Re: Myspace

GaSmo — Sun, 30 Dec 2007 17:21:51 -0600

this is my post ;) so i know bout the hole.
the question for me is now, how can i use this to get something
from my visitor, without having him to click on a link?
some held would be nice.

last day in 2007

Re: Myspace

rsnake — Sun, 30 Dec 2007 14:58:51 -0600

This just popped up today: http://sla.ckers.org/forum/read.php?3,18640

Re: Myspace

GaSmo — Fri, 21 Dec 2007 13:12:44 -0600

hmmm, damn.

so there is no way to run js in myspace?
i don't want to steal cookies or phis user accounts,
i only want to send a myspace jsvariable to an external server.

any other ideas? some hints? anything?

Re: Myspace

kefka — Fri, 21 Dec 2007 12:30:14 -0600

Those are from January, bro.

Quote

Re: Myspace new
Posted by: rsnake (IP Logged)
Date: January 15, 2007 01:12AM

Re: Myspace

GaSmo — Fri, 21 Dec 2007 11:13:43 -0600

yeah - that are the vectors i found too.
But nowow i'm still not able to get it executed.

I tryed to use onmediaerror,
but myspace makes :

out of:

octal and hex encoded strings are filtert too, so anyone can give me
hint how to usw it please?

Re: Myspace

rsnake — Sun, 14 Jan 2007 19:12:54 -0600

Remind me not to be your friend, Spikeman. ;)

Re: Myspace

Spikeman — Sun, 14 Jan 2007 16:36:45 -0600

Personally, I think it's funny how when they put in the new filters they don't make everyone refilter their page. As far as I know, they've only done this once.. as a result I have about 6 months worth of my friends cookies. :P

Re: Myspace

jungsonn — Sat, 13 Jan 2007 08:17:13 -0600

Cool stuff.

Ok so this:

what if I make:

=alert('xss');>

it will render like this?

=alert('xss');>

so only "while loops ^^

Re: Myspace

OrbityBaby — Fri, 12 Jan 2007 12:41:10 -0600

digi7al64 Wrote:
-------------------------------------------------------
> @Jungsonn
> Until yesterday i believe myspace allowed event
> elements in submitted code along as the following
> character was not an = sign. However due to our
> persistant xss attacks they have now added filters
> (contained in a while loop) to check for them and
> replace them altogether (regardless of where they
> are).
>
> Before we where tricking their filter by forming
> strings such as
>
>
>
> "
>
> The reason this was so successfull was that it
> seems there filters only ever checked for
> "onload=" which wasn't being presented. hence it
> passed the filter.
>
> But in all fairness their filtering system is a
> joke and once ^6 is patched i might release a
> couple more vectors that show again how bad their
> filter system is.

I can't wait for the one you're working on that will hopefully work with IE!!! Thank you for all of your hard work. ;)

Re: Myspace

digi7al64 — Fri, 12 Jan 2007 03:28:58 -0600

@Jungsonn
Until yesterday i believe myspace allowed event elements in submitted code along as the following character was not an = sign. However due to our persistant xss attacks they have now added filters (contained in a while loop) to check for them and replace them altogether (regardless of where they are).

Before we where tricking their filter by forming strings such as

"

The reason this was so successfull was that it seems there filters only ever checked for "onload=" which wasn't being presented. hence it passed the filter.

But in all fairness their filtering system is a joke and once ^6 is patched i might release a couple more vectors that show again how bad their filter system is.

Re: Myspace

jungsonn — Fri, 12 Jan 2007 02:18:25 -0600

@digi7al64

I'm a little oblivious on myspace stuff, so I got a question:

If you mess around with these vectors above:

onabort
onblur
onchange
onclick
ondblclick

are these strictly blocked? like match -> "onclick"

and is there a way something like:

on click + onclick ?

Re: Myspace

maluc — Fri, 12 Jan 2007 02:17:23 -0600

system: very clever.. honestly javascript is way too versatile for it's own good _-_

but i guess it's only trying to follow in the footsteps of it's slutty step-sister HTML.

broken code should not be fixed automatically at run time =.=''

-maluc

Re: Myspace

digi7al64 — Thu, 11 Jan 2007 18:40:52 -0600

kuza55 and spikeman

As of today, myspace have reimplemented the event filtering regex

onabort
onblur
onchange
onclick
ondblclick
onerror
onfocus
onkeydown
onkeypress
onkeyup
onload
nowonmousedown
onmousemove
onmouseout
onmouseover
onmouseup
onreset
onresize
onselect
onsubmit
onunload

now all revert to ..

Also it would appear that they have implemented a semi looping process to look for these elements.

Re: Myspace

SystemOfAHack — Thu, 11 Jan 2007 18:24:23 -0600

In reply to: maluc
who posted [snippet]: "They do already filter "eval(" which is good.."
on: December 17, 2006 12:27PM

I found some ways to get around javascript function filters. I'm surprised I've never seen this anywhere already. Simple bit of logic.

http://xssxss.1111mb.com/xss/xss.html

view-source to get an explanation ;)

I suppose you can also use things like javascript:%61lert('xss'); but that would be URL-only from what I gather. Like, you couldn't have inline script access and use %61lert('xss') I don't think... [without "unescape()" and probably "eval()"]

Re: Myspace

Spikeman — Wed, 10 Jan 2007 03:05:35 -0600

Yeah I remember them doing something like that.. they don't anymore? That seemed like a much more effective way.

Re: Myspace

kuza55 — Sat, 23 Dec 2006 18:11:11 -0600

Of all those the the onExit one looks the most useful to me.

But I could have sworn that MySpace used a regex to filter out event handlers, because I remember playing around with odd event handlers, and then giving up and trying things like onTest= to see if they worked, and having them get filtered out as well.

Obviously they aren't now, but can anyone remember if they did before, or if I was just imagining things?

Re: Myspace

maluc — Sat, 23 Dec 2006 15:41:24 -0600

in myspaces profile, the following event handlers are not filtered (taken from the XSS cheat sheet):

1.	FSCommand() (attacker can use this when executed from within an embedded Flash object)
14.	onBegin() (the onbegin event fires immediately when the element's timeline begins)
23.	onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
24.	onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
25.	onDataSetChanged() (fires when the data set exposed by a data source object changes)
26.	onDataSetComplete() (fires to indicate that all data is available from the data source object)
29.	onDrag() (requires that the user drags an object)
36.	onEnd() (the onEnd event fires when the timeline ends.  This can be exploited, like most of the HTML+TIME event handlers by doing something like )
39.	onExit() (someone clicks on a link or presses the back button)
52.	onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
53.	onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)

see what you can come up with that executes..

-maluc

Re: Myspace

maluc — Sat, 23 Dec 2006 12:25:58 -0600

yes, the mozbinding has been discussed frequently here, and it's quite useful. You should note that it works for firefox only, though.

And that's a good find, they filter it out in the profile page but not for blogs.. guess we should retry all the previous holes on the blogs too - since they go through less filtering.

other places it work(s|ed): http://sla.ckers.org/forum/search.php?3,search=binding,page=1,match_type=ALL,match_dates=365,match_forum=ALL

-maluc

Re: Myspace

Disenchant — Sat, 23 Dec 2006 08:14:12 -0600

Hi all,
the following blog entry of mine could be interesting for some of you. I think this method will work at many different places but I didn't try it yet.

You'll find the blog entry here:
http://www.disenchant.ch/blog/32/32

Regards,
Disenchant

Re: Myspace

Ghozt — Tue, 19 Dec 2006 01:13:03 -0600

Didn't Tom post a blog or something about updating Quicktime when it tells you?
I was just messing around with
(Taken from http://www.criticalsecurity.net/index.php?showtopic=17562&hl=myspace)

And it turns it into:

But it still works in IE and Firefox with no update message. I guess I'll update Quicktime and see what happens.

[Edit]
I upgraded to 7.1.3 from http://www.apple.com/quicktime/download/win.html and it still works fine in IE and Firefox.

Re: Myspace

maluc — Mon, 18 Dec 2006 15:05:56 -0600

great tip ^^.. i was adding that same encoding to a PoC of mine but the fact that they have one built-in makes it much easier for the polymorphing side of the code

-maluc

Re: Myspace

Spikeman — Mon, 18 Dec 2006 14:53:53 -0600

One tip about Myspace, use their built-in decode64 function and just use a settimeout on your code, and encode it in base64.

Re: Myspace

maluc — Sun, 17 Dec 2006 14:38:24 -0600

to save yourself extra questions.. here's a copy-pasteable version. switched to asdf since it has an easy to discern black background:

-maluc

Re: Myspace

maluc — Sun, 17 Dec 2006 14:27:28 -0600

-.- just add a style="position:absolute" to the iframe

and their goal is to stop a direct tag .. once you've already got javascript running it's just far too versatile to prevent other obfuscating. They do already filter "eval(" which is good.. and if they filtered "createElement(" and "appendChild(" too .. it would solve alot of their problems.. i think :x

-maluc

Re: Myspace

Tribute — Sun, 17 Dec 2006 14:26:42 -0600

To get borderless and scrolless windows, the following code will do it:

Page = "http://domain/page-to-display.html"
document.body.innerHTML = '';

Took me a while to do as I was trying out quite a few different ways, then I just took a look at the official IFRAME args & voila, no frames

Re: Myspace

eyeced — Sun, 17 Dec 2006 13:43:13 -0600

Yeah thanks, should have looked through it abit more really. Guess i was just concerned at changing the form values the first time i skimmed through the code. This works and borderless but it gets appended to the bottom of the page, so to see it i have to scroll down... this doesn't seem a convincing way. Im using FF 1.5.0.8, ill have a look through anyway, iv been very busy lately not really had chance to.

Also i was very shocked to see that they filter the word Iframe and convert it to [iframe], which can be solved simply by putting if'+'rame are they serious? This is pretty bad.

Re: Myspace

maluc — Sun, 17 Dec 2006 01:31:20 -0600

no actually, it's not easy to find these holes.. myspace does a guud job of preventing XSS. They are in a much tougher than normal situation though, by choosing to allow their users to input HTML code.

If i had to list every major dynamic website that has adequate XSS protection, it'd be a list of only 4. Google, Microsoft, Facebook, and Myspace. Now that's kinda sad when you think how many major sites don't make that cut (maybe i'm too picky .-.)

Although nobody's perfect - all four of those have had working XSS holes in the past week. Anyway, the fact that myspace allows a lot more opportunities for persistent XSS, makes it desirable to field test javascript worms. (not to mention the largest victim base)

-maluc

Re: Myspace

jungsonn — Sun, 17 Dec 2006 00:45:49 -0600

I never been at myspace.com, but it seems if I read all the XSS on here, it would be a fun place.

Is it getting harder on myspace? or just a cat and mouse game?

Re: Myspace

maluc — Sat, 16 Dec 2006 22:41:22 -0600

.-. everyone has a sob story.. but email me -

arserbin3 is the addy
yahoo.fr is the host

-maluc