Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Self-made HTML form works, XMLHttpRequest doesn't
Posted by: christ1an
Date: February 10, 2007 01:11PM

Hi,

Yeah its me again, trying to bypass blogspots security mechanisms. Actually I just wanted to write a short example script, using the mhtml bug to get a valid token and then send a valid request in.

This however does not work. Getting a token is not a problem but the response to my request is something like "we have a problem, something didn't work, send the following code to help us tracking down the issue and fixing it." - which is not what I expected.

The funny thing is, when I write my own HTML form, adressing to http://www2.blogger.com/blog-publishing.do (or similar), it'll be accepted and the command will be executed, provided that in doing so, the right variables are sent with.

So my question is: How comes that XMLHttpRequest doesn't work while a self-made HTML form does? -> Where is the difference?

Regards, Christian

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: Kyran
Date: February 10, 2007 02:28PM

XMLHttpRequest may send cookies along with it, but it does not send other headers afaik. There is a good chance this is the problem.

Watch the headers for a normal request with something like BurpProxy and then copy them in javascript.

var params 'stuff=things&variable=x'
xmlhttp.setRequestHeader('Content-Length', params.length)

Use the same technique for referer, content type, etc.

- Kyran

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: christ1an
Date: February 10, 2007 02:50PM

Okay thanks, I'll try that. Meanwhile, I've found out that I must send the blogID via GET as well, otherwise Blogger sends the error page discribed above.

At the moment the script looks like this:

requestObject.open('POST', 'http://www2.blogger.com/blog-publishing.do?blogID=2680014473523685840', true);
requestObject.setRequestHeader("Content-Type","application/x-www-form-urlencoded");


requestObject.send(
'securityToken=' + token +
'&publishMode=PUBLISH_MODE_BLOGSPOT'+
'&blogID=2680014473523685840'+
'&subdomain=xssvulnerabilities'+
'&pingWeblogs=false'
);

... which still doesn't work, while this works fine: http://nopaste.php-q.net/274834

Any further ideas are welcome.

Edit:
After having analyzed the different headers, I came to the solution that the reason must be the referer. Apparently blogger checks it. How can I manually change the referer?



Edited 1 time(s). Last edit at 02/10/2007 04:44PM by christ1an.

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: hasse
Date: February 10, 2007 07:26PM

I know you can make the referer be blank by doing this:
http://5diggers.blogspot.com/

Many pages accept empty referers because some people manually disable the referer in their browser. I tried it against a forum before, first it complained about not accepting POST from that domain but by doing that trick it worked.

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: christ1an
Date: February 10, 2007 08:08PM

Thanks hasse!

As I found out, neither the referer nor a different header was the problem. I compared various requests with a programm named Wireshark and the a nice little firefox extension LiveHttpHeaders, which everybody should have installed by the way ;)

Well this whole thread is more or less nonsense because the problem is, like I said, quite far away from XHR, HTML forms or any headers.

To make it short:
On blogger.com, a securityToken looks somehow like this: 4WyU7aPsicovml2oG7gyd5KUoU=:1071549288454, I just picked it up and send it away. Unfortunately with the chars "=" and ":" in the token, the whole thing won't work because they need to be in ASCII format.

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: rsnake
Date: February 14, 2007 12:40PM

That is ASCII, what do you mean? Look here for the ASCII chart: http://ha.ckers.org/ascii.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: christ1an
Date: February 14, 2007 04:04PM

Well, how do you express this in english? :)
What I meant was, that I had to replace non-alphanumeric characters (like : and = in the stolen securityToken) with a percent sign followed by two hex digits, to make sure that the whole thing is encoded conform to the application/x-www-form-urlencoded media type. Pretty obvious but it took me several hours.

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: Kyran
Date: February 14, 2007 07:35PM

I think most of us call that hex encoded or url encoded.


Or at least I do. :P

- Kyran

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: rezn
Date: March 23, 2007 06:04PM

It's actually called URL Encoding.

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: xu
Date: May 09, 2007 07:08AM

The same domain policy does not allow xmlHttpRequest to send request to other domain.

http://sec.jiaxu.de

Options: ReplyQuote
Re: Self-made HTML form works, XMLHttpRequest doesn't
Posted by: faz3d
Date: July 31, 2007 09:40AM

the security token is base64 encoded.!

http://null-byt3.co.uk

Options: ReplyQuote


Sorry, only registered users may post in this forum.