momby: MOMBY-00001011: XSS "Space Invader" Evasion

M.O.M.B.Y! (

momby) wrote,
@ 2007-04-13 16:14:00

Current mood:	amused
Entry tags:	evasion, xss

MOMBY-00001011: XSS "Space Invader" Evasion
Advisory MOMBY-00001011: XSS "Space Invader" Evasion
Press Embargo until April 13, 2007

Rankings:

Noobs: ***
 LOLs: *****
 0wnz: ****

In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.

First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):

$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
  $input = '..';
}
$input =~ s/\s//g;

Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.

The following works for Internet Explorer:

 
<FORM name="searchForm"
	action="http://events.myspace.com/index.cfm?fuseaction=events&Mytoken=x"
	method="post"><INPUT id="eventsearchzip" name="zip" type="hidden"
	value='"style=xss:expre ssion(alert(document.cookie)); nothing="'/>
	<a href=# onClick="document.searchForm.submit()">Click here for
	awesomeness!</a></FORM>

Screenshot:http://pics.livejournal.com/momby/pic/0000c61c

Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.

Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.

Weekend Update

Note, there will be no advisories from MOMBY over the weekend. We expect the the Myspace security responders would like some time away from work for a couple days, and we have a busy weekend ahead of us of bacchanalian debauchery -- for details, look for photos of mysterious men in false mustaches on SpyOnVegas.com. So, either wait around for Monday's advisory, or write your own advisory/exploit. Hacking is not a spectator sport.

(Post a new comment)

	(Anonymous) 2007-04-14 06:13 am UTC (link)
	I think they blocked it (Reply to this) (Thread)

	Владимир Палант [xpoint.ru] 2007-04-14 01:23 pm UTC (link)
	Yes, this has been already fixed. (Reply to this) (Parent)

	(Anonymous) 2007-04-14 10:10 pm UTC (link)
	If you keep taking breaks this often, you might as well go for a Year Of Myspace Exploits as well. (Reply to this) (Thread)

	http://getopenid.com/crumb 2007-04-14 10:19 pm UTC (link)
	you're giving them ideas! (Reply to this) (Parent)

(Reply from suspended user)

	(Anonymous) 2007-04-14 10:58 pm UTC (link)
	its patched b4 I get a chance to even study the code (Reply to this)

	(Anonymous) 2007-04-15 12:01 am UTC (link)
	This all is one of those extended april fools jokes you always read about. (Reply to this) (Thread)

(Reply from suspended user)

	Something to be aware of.... (Anonymous) 2007-04-15 07:14 am UTC (link)
	Live in the states? http://sla.ckers.org/forum/read.php?11,9714 Be careful with that "screenshot" link. I'm sure 10 minors viewed that link - there's a good upwards to 20 years in that. All you're missing is some big corporation/government to make a push to enforce it.... oh wait - -Justin (Reply to this) (Thread)

	Re: Something to be aware of.... (Anonymous) 2007-04-15 12:51 pm UTC (link)
	That requires intent to deceive, can they prove that? (Reply to this) (Parent)(Thread)

Re: Something to be aware of....
(Anonymous)
2007-04-15 11:33 pm UTC (link)

Even if you went off the assumption that our judicial system worked on a justice-based system (ha?) I don't think a scum with 20 years experience in law could have ANY problem connecting a link titled and clearly suggesting 'screenshot' that actually goes to a pornographic.... non-screenshot was intentional. Furthermore, I think any "it was an accident" arguments are immediately thrown out the window with the statement at the tail of the entry "Also, yes, the screenshot has nothing to do with the advisory." This statement again further makes clear that the author was aware of the misdirecting nature of the link and hopes to clarify that after-the-fact.

Now my litte rant that I pulled out of my ass in a good minute or so of wasted time wouldn't hold a candle to what a lawyer would pull out of his. Yeah, I have confidence that a well-budgeted lawyer could prove intent and IMHO it would be foolish to feel otherwise.

(Reply to this) (Parent)

	darasuzof 2008-07-17 01:25 am UTC (link)
	Further evidence of intent to deceive can be seen in the regulation before and after . Before the subsection dealing with deductions contained explicit wording that deductions were to be applied to the income of nonresident aliens and foreign corporations doing business within the U. (Reply to this) (Parent)

	Re: Something to be aware of.... (Anonymous) 2007-04-16 01:10 am UTC (link)
	Goto www.wowomg.com for free exploits (Reply to this) (Parent)(Thread)

	cleozubif 2008-07-16 05:57 am UTC (link)
	Go to another machine and log into your LogMeIn account and click on your Computer. (u don't need the IP adress. (Reply to this) (Parent)

Re: Something to be aware of....

momby
2007-04-17 02:10 am UTC (link)

Thanks for the tip, Justin. However, I doubt any links provided so far would qualify under community-accepted definitions of "obscene" in any United States jurisdiction. Also, we're not usually in the United States, so our fear of prosecution there is pretty low (they had their chance to nab us Dmitry style in Vegas last weekend and blew it). Also, nothing's illegal on the Internet if you use TOR or OPN*.

* Other People's Networks

(Reply to this) (Parent)(Thread)

	Re: Something to be aware of.... (Anonymous) 2007-04-19 12:18 am UTC (link)
	Just tipping :) I would really doubt as well... but good people always get fucked over by the stupid things. -Justin (Reply to this) (Parent)

	HELP camrashy 2007-04-16 11:24 pm UTC (link)
	I need to hack into my x-girlfriends private Myspace and I was wondering if you had anything so I could see her private page to see if she was cheating? Any help would be much appreciated. (Reply to this) (Thread)

	Re: HELP (Anonymous) 2007-04-17 12:51 am UTC (link)
	If you're looking for someone to aide in stealing your ex-girfriend's MySpace password just to help your ePenis get a little bigger you might as well go back to your hugbox, because you need to get over it, and move on. She obviously doesn't like you, and you shouldn't resort to getting trolled on LiveJournal by assholes like myself for this type of thing. (Reply to this) (Parent)

	annabellecemad 2008-07-16 05:46 pm UTC (link)
	I'm very new to this whole drupal concept, and any help would be much appreciated. Many thanks, Nick. (Reply to this) (Parent)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

Weekend Update

About

Help

Get Involved

Legal

Store

LJ Labs