amused Press Embargo until April 13, 2007
Rankings: Noobs: *** LOLs: ***** 0wnz: ****
In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.
First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):
$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
$input = '..';
}
$input =~ s/\s//g;
Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.
The following works for Internet Explorer:
Screenshot:http://pics.livejournal.com/momby/pic/00
Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.
Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.
Anonymous
April 14 2007, 06:13:20 UTC 6 years ago
April 14 2007, 13:23:09 UTC 6 years ago
Anonymous
April 14 2007, 22:10:24 UTC 6 years ago
April 14 2007, 22:19:25 UTC 6 years ago
October 9 2008, 17:14:14 UTC 4 years ago
October 17 2008, 05:58:58 UTC 4 years ago
Anonymous
April 14 2007, 22:58:23 UTC 6 years ago
Anonymous
April 15 2007, 00:01:45 UTC 6 years ago
October 17 2008, 07:23:26 UTC 4 years ago
Anonymous
April 15 2007, 07:14:24 UTC 6 years ago
Something to be aware of....
Live in the states?http://sla.ckers.org/forum/read.php?11,9
Be careful with that "screenshot" link. I'm sure 10 minors viewed that link - there's a good upwards to 20 years in that. All you're missing is some big corporation/government to make a push to enforce it.... oh wait -
-Justin
Anonymous
April 15 2007, 12:51:15 UTC 6 years ago
Re: Something to be aware of....
That requires intent to deceive, can they prove that?Anonymous
April 15 2007, 23:33:27 UTC 6 years ago
Re: Something to be aware of....
Even if you went off the assumption that our judicial system worked on a justice-based system (ha?) I don't think a scum with 20 years experience in law could have ANY problem connecting a link titled and clearly suggesting 'screenshot' that actually goes to a pornographic.... non-screenshot was intentional. Furthermore, I think any "it was an accident" arguments are immediately thrown out the window with the statement at the tail of the entry "Also, yes, the screenshot has nothing to do with the advisory." This statement again further makes clear that the author was aware of the misdirecting nature of the link and hopes to clarify that after-the-fact.Now my litte rant that I pulled out of my ass in a good minute or so of wasted time wouldn't hold a candle to what a lawyer would pull out of his. Yeah, I have confidence that a well-budgeted lawyer could prove intent and IMHO it would be foolish to feel otherwise.
July 17 2008, 01:25:30 UTC 4 years ago
Anonymous
April 16 2007, 01:10:34 UTC 6 years ago
Re: Something to be aware of....
Goto www.wowomg.com for free exploitsJuly 16 2008, 05:57:08 UTC 4 years ago
April 17 2007, 02:10:59 UTC 6 years ago
Re: Something to be aware of....
Thanks for the tip, Justin. However, I doubt any links provided so far would qualify under community-accepted definitions of "obscene" in any United States jurisdiction. Also, we're not usually in the United States, so our fear of prosecution there is pretty low (they had their chance to nab us Dmitry style in Vegas last weekend and blew it). Also, nothing's illegal on the Internet if you use TOR or OPN*.* Other People's Networks
Anonymous
April 19 2007, 00:18:17 UTC 6 years ago
Re: Something to be aware of....
Just tipping :) I would really doubt as well... but good people always get fucked over by the stupid things.-Justin
April 16 2007, 23:24:55 UTC 6 years ago
HELP
I need to hack into my x-girlfriends private Myspace and I was wondering if you had anything so I could see her private page to see if she was cheating? Any help would be much appreciated.Anonymous
April 17 2007, 00:51:43 UTC 6 years ago
Re: HELP
If you're looking for someone to aide in stealing your ex-girfriend's MySpace password just to help your ePenis get a little bigger you might as well go back to your hugbox, because you need to get over it, and move on. She obviously doesn't like you, and you shouldn't resort to getting trolled on LiveJournal by assholes like myself for this type of thing.July 16 2008, 17:46:36 UTC 4 years ago