M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS

Advisory MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Noobz: **
LOLz: ****
0wnz: *** 1/2

An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.

First, a simplified attack form for demo purposes:

This can of course be modified to be a one-click or onLoad submit action, requiring only the page to load in the victim's browser. Screenshot of the above form in action: http://pics.livejournal.com/momby/pic/0000hw8z

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

Once that's complete, the attacker may re-encode the resulting file back to a single-line base64 format, and voila! An exploit that is not only completely unfiltered at Myspace.com, but is basically impossible to detect by any other means, such as third-party XSS-filtering proxies or browser add-ons (the stealth is worth at least a half an 0wn right there).

This form and its related Ajax cousins are a rich area of unfiltered exploitation, as it is not an obvious vector for most casual XSS bug-hunters. We here at M.O.M.B.Y! hope the original reporter will take a moment to explain further his methodology in finding this bug using the anonymous comment section of this journal.

Note, though, attackers are limited to 127 characters, as the length parameter is a signed single-byte integer. That's plenty of room for evil, though; recall that elements referenced from other sites (such as <script src="www.example.com/whatever.js">) are run in the same context as the originating page, so complex scripts need not be contained in the 127 byte limit.

Credit: Richtr first reported this bug. He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.
Tags: ajax, base64, xss
  • Post a new comment


    default userpic



April 20 2007, 03:46:31 UTC 9 years ago

This is the kind of bug that I've been waiting for.
  It's been a month that I've been watching these and waiting for them to change color.   Seriously, if they all take that long to turn red, I think there will be a lot of green peppers eaten at our house.
While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository.
While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository.


8 years ago

While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository.


April 20 2007, 09:03:46 UTC 9 years ago


Firstly for anyone wanting to test this but doesn't want to mess with base64 i made a program:


Which does all the work for you (needs .Net2.0)

Secondly the other pages on myspace affected by this bug are:


I believe others are also infected but I havn't taken the time to test them.

The way I suggest using this exploit is that the form CAN be placed on your myspace page, all the code required is allowed to be put in your profile. So simply to spread this bug all you need to do is either:

1) Replace links on peoples pages with exploited links or.
2) Message the form around saying "Hey look at my comments: link" and once they click they will also be infected.

These viewstates can be used for other more legit things too, such as changing the amount of friends shown per page from 40 to 100.

Nice joB Richtr
.Net Framework link:


May 31 2008, 00:04:55 UTC 8 years ago

this is also used in adding friends now. b64 decode tho gave me slightly unusable code. i gave up on trying to figure out what to do with it, since at this point that seems useless in any sort of exploit. i've been wasting days on reading old captcha exploits, so fed up with this shit.
You can customize your profile page, add your icon, set privacy, add twitter to your mobile device or IM client, choose how you're notified of DMs, etc.
Thus, member variables can be used to store per-request data. " In order to deal with multiple requests concurrently, ASP.
It can also show an HTML page containing more information and links to online resources, to provide continuous guidance to developers using the package.
Nice one! It is a hardcore XSS vulnerability (and PoC for it). Well done Richtr.

About other holes with this vector (Pics, Comments and Messages) in addition to FriendsView - you need to test them (if I find time I'll look at them). For new bugs for MOMBY.

> He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.

We need to examine and test this possibility. Because environment for XSS worm is a big security issue.


About base64 encoding. Besides www.motobit.com's encoder/decoder (and others) you can use my XSS Generator http://websecurity.com.ua/xss_generator/ (for encoding).

Best wishes & regards,



April 20 2007, 17:27:39 UTC 9 years ago

Is this patched? I copied, pasted, saved as html, and submitted but nothing happened. I replaced the third field with a basic alert (in base64 format) but it didn't run. Thanks for revealing the bug either way!
Not patched yet. This hole is still work (in my Mozilla and IE6). The message with picture of Hemu Nigam are displaying.

So try again to see it.

Best wishes & regards,
Not seeing it anymore. Was a good find none the less. Can't figure out how to implement this to where it would be effective without user interaction though.
A few days of interaction actually *does* make me see Microsoft as a little "less evil", simply because it's impossible to think of a company as single self-contained whole--one monolithic evil entity--once you actually *know* (and like and respect) some of the individuals who work there.
However, I would love to see results from user testing on this. Are users ready for stuff like that.
Therefore, take your html, and copy/paste it into that itty bitty field, and it'll work. Took me about half an hour to figure that one out, hope this helps someone else.
That includes: AJAX Thank You, AJAX revealing of HIDE-THANKS data and AJAX revealing of HIDE-REPLY data.
Keep up the great work, this is not only a good find, but it's very interesting as well.
You are The Best!!!

Your IP address reveals your point of entry to the Internet and can be used to trace your communications back to your ISP, your employer's network, your school, a public terminal.
Use our Free Web Proxy to surf the internet anonymously at http://peak40.com
Next time we can’t find you like that, we’ll have to refer back to your photo…wait, um… So, get your hackergnotchi in to Gabe (at gabe at gundy dot org).



February 21 2008, 19:01:43 UTC 9 years ago

I represent First Premier Financial Group inc.(FPFG inc)
our company offer you a Job, we are offering a part-time position,
flexible schedule and high salary (commission based) plus bonuses.
so,if you are interested, you can contact us via email at
send resume to Fax: 323 417-4865
I'll provide you with all details concerning our position.
If you have any questions, don't hesitate to contact us.

Jonathan Williams
First Premier Financial Group inc.



August 16 2008, 08:58:29 UTC 8 years ago

Your blog is interesting!

Keep up the good work!