Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace Apps script injection?
Posted by: PaPPy
Date: July 20, 2008 11:39AM

submitted this to myspace and xssed.com
they labeled it as a redirection, but it seems to be a lot more
almost like a proxy....
it stays as api.msappspace.com in the url box
but the content inside is what ever page, so if you include a javascript page, as shown below it will run it on the api.msappspace.com domain
or you could use it as a phishing site, what ever tickles your pickle

heres the path:
http://api.msappspace.com/proxy/relay.proxy?opensocial_authtype=SIGNED&opensocial_token=at4IjkedDpNLkau5F/gsmGfqlODuP0eDpTeA45xoUKlXsVUjcvGcAmS+BLRbO8M3617chfI29VFFwiTjqSbfr3RlRYrivuZjLK2V2b+FCUA=&opensocial_url=http://fampo.org/my.html

heres the mirror:
http://www.xssed.com/mirror/45627/

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Myspace Apps script injection?
Posted by: natenack
Date: July 20, 2008 03:03PM

I think your post is a little inaptly named, because this isn't a script injection on MySpace apps. It's a proxy, hence the name relay.proxy :) As you have seen you can request whatever site you wish and it will be returned to you. Not only does the URL stay the same but the site that gets requested comes from the IP address of the server on the MySpace side. This was previously uncovered while we were doing research for our talk for this year's Black Hat and Defcon called Satan is on my Friends List.

http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Moyer

http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Hamiel

We have been sitting on a few things and seeing just how deep the rabbit hole goes and prepping for our presentation. Ultimately, coming from a separate domain api.msappspace.com doesn't give you access to the same data you would have access to under the myspace.com domain. This is done on purpose so that applications developed for MySpace are operating in a different domain. This practice is common among many social networks. It does ensure a bit of limiting on the attacks that you can conduct, but there are a few other things that can be done with this. After all it's not a vulnerability, it's a feature ;) Sorry to be so vague, but BH and DC are just around the corner, we will release more details on this and many other items soon.

--
Nathan
Hexagon Security Group

Options: ReplyQuote


Sorry, only registered users may post in this forum.