Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
URL XSS
Posted by: Delixe
Date: October 13, 2006 01:09AM

I am using a XSS through a mov file, and insert javascript within "qtnext" variable, however things like document.location, document.write cause a new window to open. How do I inhibit this so it can write a line or something to the SAME window?

Options: ReplyQuote
Re: URL XSS
Posted by: maluc
Date: October 13, 2006 03:43AM

What do you mean? I followed this explaination http://www.gnucitizen.org/blog/backdooring-quicktime-movies to embed into the HREF Track like so: http://myspace.com/malucracker .. which if you open in firefox or opera, indicates that it's running under the myspace.com origin.

I'm not sure what you mean by, within qtnext variable. but the problem with the document.write is because it may not have a point of origin into the document (i'll test when i finish eating.) So executing a document.write would just overwrite the page. Try using
document.body.innerHTML += 'blah';
and
top.location = "http://google.com";

-maluc

Options: ReplyQuote
Re: URL XSS
Posted by: maluc
Date: October 13, 2006 04:10AM

ah.. i found the documentation for qtnext now.. and it looks like you should first set the target to _top or _parent .. with
SetTarget('_top')
SetTarget('_parent')

before setting qtnexturl()

RTFM at http://developer.apple.com/documentation/QuickTime/Conceptual/QTScripting_JavaScript/QTScripting_JavaScript.pdf .. on page 21 and 22. Although it doesnt show example uses, its pretty informative.

-maluc



Edited 1 time(s). Last edit at 10/13/2006 04:13AM by maluc.

Options: ReplyQuote
Re: URL XSS
Posted by: WhiteAcid
Date: October 13, 2006 04:34AM

Insted of:
document.body.innerHTML += 'blah';

I'd be maybe be more DOM friendly and use:
i = new Image()
i.src = "http://www.google.co.uk/intl/en_uk/images/logo.gif"
document.body.appendChild(i)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: URL XSS
Posted by: maluc
Date: October 13, 2006 06:24AM

hrm, i don't know of a reason when one would work but the other wouldn't.. so either should be fine. I tend to pick test that require the least about of typing ^^

Done with dinner, so i'll start messing with it now..

-maluc

Options: ReplyQuote
Re: URL XSS
Posted by: Delixe
Date: October 13, 2006 01:05PM

/* snip.. */
<embed qtnext="javascript:alert('test')"/>
/* snip.. */

You'll notice that it will open a NEW window. I am not sure how to get it so it uses the parent window.

Even placing a settarget="_parent" still opens a new window.

I also tried the add track selection thing for the mov file and it wouldn't let me rename the Text Track to HREFTrack, it went back after I clicked it and renamed it to Text Track. So I am using the straight backdoor to mp3 which works with mov as well.



Edited 2 time(s). Last edit at 10/13/2006 01:13PM by Delixe.

Options: ReplyQuote
Re: URL XSS
Posted by: Delixe
Date: October 15, 2006 01:38PM

So did anyone come back with anything?

Options: ReplyQuote
Re: URL XSS
Posted by: rsnake
Date: October 15, 2006 02:07PM

It might help if you give the whole code so we can see the same thing you are seeing. It's hard to tell what you're saying....

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: URL XSS
Posted by: Delixe
Date: October 15, 2006 05:14PM

Place in a text file and rename it to an mp3:

<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="a.mp3" autoplay="true" qtnext="javascript:alert('backdoored')"/>

After doing so, open it in IE or FireFox and notice that it opens the alert in a NEW window, how would you make it so that it opens the alert in the same window? How could you make it so you can use things such as document.write, document.cookie from a page that has this embedded on it?

Options: ReplyQuote
Re: URL XSS
Posted by: rsnake
Date: October 15, 2006 08:59PM

I don't think this will work... I tried a few things and no go. It's always in context of a browser without a domain. You can tell by doing something like:

alert(document.domain)

Which says "null." I don't think what you are trying will work because it's in local context.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: URL XSS
Posted by: Delixe
Date: October 17, 2006 11:28AM

<embed allowScriptAccess="never" allowNetworking="internal" enableJavaScript="false" src="http://www.someurl.net/yourmovefile.mov" width="0" height="0" autoplay="true" loop="true" controller="off" autohref="true" href="http://www.google.com">

This isn't necessarily an XSS hole but can function has a feasible means of URL filter evasion. This however does act slow and seems to wait for the mov file to load or the page itself before it actually redirects.

Does anyone know of a way to make it instant upon accessing the URL, the delay is horrible. Thank you.

Options: ReplyQuote
Re: URL XSS
Posted by: rsnake
Date: October 17, 2006 03:57PM

Yah, I ran into that same issue... it was like 20-30 seconds. I didn't see an obvious way around it (caching didn't seem to matter). I'm not sure where the delay is being caused (maybe by attempting to find a suitable codec or something?).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.