M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS

Advisory MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Noobz: **
LOLz: ****
0wnz: *** 1/2

An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.

First, a simplified attack form for demo purposes:

This can of course be modified to be a one-click or onLoad submit action, requiring only the page to load in the victim's browser. Screenshot of the above form in action: http://pics.livejournal.com/momby/pic/0000hw8z

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

Once that's complete, the attacker may re-encode the resulting file back to a single-line base64 format, and voila! An exploit that is not only completely unfiltered at Myspace.com, but is basically impossible to detect by any other means, such as third-party XSS-filtering proxies or browser add-ons (the stealth is worth at least a half an 0wn right there).

This form and its related Ajax cousins are a rich area of unfiltered exploitation, as it is not an obvious vector for most casual XSS bug-hunters. We here at M.O.M.B.Y! hope the original reporter will take a moment to explain further his methodology in finding this bug using the anonymous comment section of this journal.

Note, though, attackers are limited to 127 characters, as the length parameter is a signed single-byte integer. That's plenty of room for evil, though; recall that elements referenced from other sites (such as <script src="www.example.com/whatever.js">) are run in the same context as the originating page, so complex scripts need not be contained in the 127 byte limit.

Credit: Richtr first reported this bug. He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.
Tags: ajax, base64, xss
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.