M.O.M.B.Y! (momby) wrote,
M.O.M.B.Y!
momby

  • Mood:

MOMBY-00001011: XSS "Space Invader" Evasion

Advisory MOMBY-00001011: XSS "Space Invader" Evasion
Press Embargo until April 13, 2007
Rankings:

Noobs: ***
 LOLs: *****
 0wnz: ****

In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.

First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):

$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
  $input = '..';
}
$input =~ s/\s//g;

Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.

The following works for Internet Explorer:

Screenshot:http://pics.livejournal.com/momby/pic/0000c61c

Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.

Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.

Weekend Update

Note, there will be no advisories from MOMBY over the weekend. We expect the the Myspace security responders would like some time away from work for a couple days, and we have a busy weekend ahead of us of bacchanalian debauchery -- for details, look for photos of mysterious men in false mustaches on SpyOnVegas.com. So, either wait around for Monday's advisory, or write your own advisory/exploit. Hacking is not a spectator sport.
Tags: evasion, xss
  • Post a new comment

    Error

    default userpic
  • 20 comments

Anonymous

April 14 2007, 06:13:20 UTC 10 years ago

I think they blocked it
Yes, this has been already fixed.

Anonymous

April 14 2007, 22:10:24 UTC 10 years ago

If you keep taking breaks this often, you might as well go for a Year Of Myspace Exploits as well.
you're giving them ideas!
I might as well go ahead and throw in the Arc de Triomphe in Paris. But then the sock looked so out of place on the streets of Paris that I just went ahead and blew the sock away.
Net/apuntes-tecnicos/myspace-bypass-msplinks/ Myspace sucks but if I’m gonna have one, it might as well be prettty dope.

Anonymous

April 14 2007, 22:58:23 UTC 10 years ago

its patched b4 I get a chance to even study the code

Anonymous

April 15 2007, 00:01:45 UTC 10 years ago

This all is one of those extended april fools jokes you always read about.
Posted by: K'uñao | March at PM All the Internet RFC April Fools jokes are now published in one book: httpwww.
Live in the states?
http://sla.ckers.org/forum/read.php?11,9714

Be careful with that "screenshot" link. I'm sure 10 minors viewed that link - there's a good upwards to 20 years in that. All you're missing is some big corporation/government to make a push to enforce it.... oh wait -

-Justin
That requires intent to deceive, can they prove that?
Even if you went off the assumption that our judicial system worked on a justice-based system (ha?) I don't think a scum with 20 years experience in law could have ANY problem connecting a link titled and clearly suggesting 'screenshot' that actually goes to a pornographic.... non-screenshot was intentional. Furthermore, I think any "it was an accident" arguments are immediately thrown out the window with the statement at the tail of the entry "Also, yes, the screenshot has nothing to do with the advisory." This statement again further makes clear that the author was aware of the misdirecting nature of the link and hopes to clarify that after-the-fact.

Now my litte rant that I pulled out of my ass in a good minute or so of wasted time wouldn't hold a candle to what a lawyer would pull out of his. Yeah, I have confidence that a well-budgeted lawyer could prove intent and IMHO it would be foolish to feel otherwise.
Further evidence of intent to deceive can be seen in the regulation before and after . Before the subsection dealing with deductions contained explicit wording that deductions were to be applied to the income of nonresident aliens and foreign corporations doing business within the U.
Goto www.wowomg.com for free exploits
Go to another machine and log into your LogMeIn account and click on your Computer. (u don't need the IP adress.
Thanks for the tip, Justin. However, I doubt any links provided so far would qualify under community-accepted definitions of "obscene" in any United States jurisdiction. Also, we're not usually in the United States, so our fear of prosecution there is pretty low (they had their chance to nab us Dmitry style in Vegas last weekend and blew it). Also, nothing's illegal on the Internet if you use TOR or OPN*.

* Other People's Networks
Just tipping :) I would really doubt as well... but good people always get fucked over by the stupid things.
-Justin
I need to hack into my x-girlfriends private Myspace and I was wondering if you had anything so I could see her private page to see if she was cheating? Any help would be much appreciated.

Re: HELP

Anonymous

April 17 2007, 00:51:43 UTC 10 years ago

     If you're looking for someone to aide in stealing your ex-girfriend's MySpace password just to help your ePenis get a little bigger you might as well go back to your hugbox, because you need to get over it, and move on. She obviously doesn't like you, and you shouldn't resort to getting trolled on LiveJournal by assholes like myself for this type of thing.
I'm very new to this whole drupal concept, and any help would be much appreciated. Many thanks, Nick.