M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001011: XSS "Space Invader" Evasion

Advisory MOMBY-00001011: XSS "Space Invader" Evasion
Press Embargo until April 13, 2007

Noobs: ***
 LOLs: *****
 0wnz: ****

In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.

First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):

$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
  $input = '..';
$input =~ s/\s//g;

Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.

The following works for Internet Explorer:


Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.

Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.

Weekend Update

Note, there will be no advisories from MOMBY over the weekend. We expect the the Myspace security responders would like some time away from work for a couple days, and we have a busy weekend ahead of us of bacchanalian debauchery -- for details, look for photos of mysterious men in false mustaches on SpyOnVegas.com. So, either wait around for Monday's advisory, or write your own advisory/exploit. Hacking is not a spectator sport.
Tags: evasion, xss
  • Post a new comment


    default userpic