Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Myspace
Posted by: kuza55
Date: December 23, 2006 06:11PM

Of all those the the onExit one looks the most useful to me.

But I could have sworn that MySpace used a regex to filter out event handlers, because I remember playing around with odd event handlers, and then giving up and trying things like onTest= to see if they worked, and having them get filtered out as well.

Obviously they aren't now, but can anyone remember if they did before, or if I was just imagining things?

Options: ReplyQuote
Re: Myspace
Posted by: Spikeman
Date: January 10, 2007 03:05AM

Yeah I remember them doing something like that.. they don't anymore? That seemed like a much more effective way.

Options: ReplyQuote
Re: Myspace
Posted by: SystemOfAHack
Date: January 11, 2007 06:24PM

In reply to: maluc
who posted [snippet]: "They do already filter "eval(" which is good.."
on: December 17, 2006 12:27PM

I found some ways to get around javascript function filters. I'm surprised I've never seen this anywhere already. Simple bit of logic.

http://xssxss.1111mb.com/xss/xss.html

view-source to get an explanation ;)

I suppose you can also use things like javascript:%61lert('xss'); but that would be URL-only from what I gather. Like, you couldn't have inline script access and use %61lert('xss') I don't think... [without "unescape()" and probably "eval()"]



Edited 1 time(s). Last edit at 01/14/2007 01:12PM by SystemOfAHack.

Options: ReplyQuote
Re: Myspace
Posted by: digi7al64
Date: January 11, 2007 06:40PM

kuza55 and spikeman

As of today, myspace have reimplemented the event filtering regex

onabort
onblur
onchange
onclick
ondblclick
onerror
onfocus
onkeydown
onkeypress
onkeyup
onload
nowonmousedown
onmousemove
onmouseout
onmouseover
onmouseup
onreset
onresize
onselect
onsubmit
onunload

now all revert to ..

Also it would appear that they have implemented a semi looping process to look for these elements.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace
Posted by: maluc
Date: January 12, 2007 02:17AM

system: very clever.. honestly javascript is way too versatile for it's own good _-_

but i guess it's only trying to follow in the footsteps of it's slutty step-sister HTML.

broken code should not be fixed automatically at run time =.=''

-maluc

Options: ReplyQuote
Re: Myspace
Posted by: jungsonn
Date: January 12, 2007 02:18AM

@digi7al64

I'm a little oblivious on myspace stuff, so I got a question:

If you mess around with these vectors above:

onabort
onblur
onchange
onclick
ondblclick

are these strictly blocked? like match -> "onclick"

and is there a way something like:

on <some stuff> click + onclick ?

Options: ReplyQuote
Re: Myspace
Posted by: digi7al64
Date: January 12, 2007 03:28AM

@Jungsonn
Until yesterday i believe myspace allowed event elements in submitted code along as the following character was not an = sign. However due to our persistant xss attacks they have now added filters (contained in a while loop) to check for them and replace them altogether (regardless of where they are).

Before we where tricking their filter by forming strings such as

<body onload<script=alert('xss');>

"<script" of course being disallowed was then replaced with ".." which resulted in the following code

<body onload..=alert('xss');>

The reason this was so successfull was that it seems there filters only ever checked for "onload=" which wasn't being presented. hence it passed the filter.

But in all fairness their filtering system is a joke and once ^6 is patched i might release a couple more vectors that show again how bad their filter system is.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace
Posted by: OrbityBaby
Date: January 12, 2007 12:41PM

digi7al64 Wrote:
-------------------------------------------------------
> @Jungsonn
> Until yesterday i believe myspace allowed event
> elements in submitted code along as the following
> character was not an = sign. However due to our
> persistant xss attacks they have now added filters
> (contained in a while loop) to check for them and
> replace them altogether (regardless of where they
> are).
>
> Before we where tricking their filter by forming
> strings such as
>
>
>
> "
>
> The reason this was so successfull was that it
> seems there filters only ever checked for
> "onload=" which wasn't being presented. hence it
> passed the filter.
>
> But in all fairness their filtering system is a
> joke and once ^6 is patched i might release a
> couple more vectors that show again how bad their
> filter system is.

I can't wait for the one you're working on that will hopefully work with IE!!! Thank you for all of your hard work. ;)

Options: ReplyQuote
Re: Myspace
Posted by: jungsonn
Date: January 13, 2007 08:17AM

Cool stuff.

Ok so this:
<body onload<script=alert('xss');>

what if I make:

<body onload<script>=alert('xss');>

it will render like this?

<body onload..>=alert('xss');>

so only "<script" is filtered out? if so, that is bad practice and indeed need do->while loops ^^

Options: ReplyQuote
Re: Myspace
Posted by: Spikeman
Date: January 14, 2007 04:36PM

Personally, I think it's funny how when they put in the new filters they don't make everyone refilter their page. As far as I know, they've only done this once.. as a result I have about 6 months worth of my friends cookies. :P

Options: ReplyQuote
Re: Myspace
Posted by: rsnake
Date: January 14, 2007 07:12PM

Remind me not to be your friend, Spikeman. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace
Posted by: GaSmo
Date: December 21, 2007 11:13AM

yeah - that are the vectors i found too.
But nowow i'm still not able to get it executed.

I tryed to use onmediaerror,
but myspace makes :
<?IMPORT namespace="t" implementation="&#035;default&#035;time2">
out of:
<?IMPORT namespace="t" implementation="#default#time2">

octal and hex encoded strings are filtert too, so anyone can give me
hint how to usw it please?

Options: ReplyQuote
Re: Myspace
Posted by: kefka
Date: December 21, 2007 12:30PM

Those are from January, bro.
Quote

Re: Myspace new
Posted by: rsnake (IP Logged)
Date: January 15, 2007 01:12AM

Options: ReplyQuote
Re: Myspace
Posted by: GaSmo
Date: December 21, 2007 01:12PM

hmmm, damn.

so there is no way to run js in myspace?
i don't want to steal cookies or phis user accounts,
i only want to send a myspace jsvariable to an external server.

any other ideas? some hints? anything?

Options: ReplyQuote
Re: Myspace
Posted by: rsnake
Date: December 30, 2007 02:58PM

This just popped up today: http://sla.ckers.org/forum/read.php?3,18640

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace
Posted by: GaSmo
Date: December 30, 2007 05:21PM

this is my post ;) so i know bout the hole.
the question for me is now, how can i use this to get something
from my visitor, without having him to click on a link?
some held would be nice.

last day in 2007

Options: ReplyQuote
Re: Myspace
Posted by: johnsonsmith1
Date: January 03, 2008 11:23PM

I don't think that is possible. All XSS has been patched from profile.myspace.com

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.