M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001011: XSS "Space Invader" Evasion

Advisory MOMBY-00001011: XSS "Space Invader" Evasion
Press Embargo until April 13, 2007

Noobs: ***
 LOLs: *****
 0wnz: ****

In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.

First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):

$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
  $input = '..';
$input =~ s/\s//g;

Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.

The following works for Internet Explorer:


Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.

Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.

Weekend Update

Note, there will be no advisories from MOMBY over the weekend. We expect the the Myspace security responders would like some time away from work for a couple days, and we have a busy weekend ahead of us of bacchanalian debauchery -- for details, look for photos of mysterious men in false mustaches on SpyOnVegas.com. So, either wait around for Monday's advisory, or write your own advisory/exploit. Hacking is not a spectator sport.
Tags: evasion, xss
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.


April 14 2007, 06:13:20 UTC 10 years ago

I think they blocked it
Yes, this has been already fixed.


April 14 2007, 22:10:24 UTC 10 years ago

If you keep taking breaks this often, you might as well go for a Year Of Myspace Exploits as well.
you're giving them ideas!
I might as well go ahead and throw in the Arc de Triomphe in Paris. But then the sock looked so out of place on the streets of Paris that I just went ahead and blew the sock away.
Net/apuntes-tecnicos/myspace-bypass-msplinks/ Myspace sucks but if I’m gonna have one, it might as well be prettty dope.


April 14 2007, 22:58:23 UTC 10 years ago

its patched b4 I get a chance to even study the code


April 15 2007, 00:01:45 UTC 10 years ago

This all is one of those extended april fools jokes you always read about.
Posted by: K'uñao | March at PM All the Internet RFC April Fools jokes are now published in one book: httpwww.
Live in the states?

Be careful with that "screenshot" link. I'm sure 10 minors viewed that link - there's a good upwards to 20 years in that. All you're missing is some big corporation/government to make a push to enforce it.... oh wait -

That requires intent to deceive, can they prove that?

Re: Something to be aware of....


10 years ago


9 years ago

Goto www.wowomg.com for free exploits


9 years ago

Re: Something to be aware of....


10 years ago

I need to hack into my x-girlfriends private Myspace and I was wondering if you had anything so I could see her private page to see if she was cheating? Any help would be much appreciated.



April 17 2007, 00:51:43 UTC 10 years ago

     If you're looking for someone to aide in stealing your ex-girfriend's MySpace password just to help your ePenis get a little bigger you might as well go back to your hugbox, because you need to get over it, and move on. She obviously doesn't like you, and you shouldn't resort to getting trolled on LiveJournal by assholes like myself for this type of thing.
I'm very new to this whole drupal concept, and any help would be much appreciated. Many thanks, Nick.