MyYearbook.com XSS
I ran across this a few days ago. This is a really good example of several real world XSS filter evasions pulled straight from my site that Luny was able to sucessfully launch against MyYearBook.com. Definitely worth a look if you want to see practical usage of some pretty obfuscated XSS vectors, if you ask me. Nice job, Luny.
July 2nd, 2006 at 5:47 pm
There’s A LOT more XSS vectors in MyYearbook than the ones Luny points out. I found quite a few more, using some good filter evasion as well. http://www.criticalsecurity.net/index.php?showtopic=13851
July 3rd, 2006 at 8:59 am
Hi, unsticky. Interesting post! Honestly, as I’ve said more than one time on the blog, I don’t actually care about the hosts in question, but rather the vectors against them and ultimately how damaging a worst case scenario could be (not that I’m Mr. gloom and doom, but I like to know what’s the worst that could happen).
That said, one of the attacks you used against them was actually interesting. The one that broke up the JavaScript directive with a newline char was interesting. That was a vector I found about two years ago. I came accross a website that injected random characters into JavaScript directive to see what chars caused it to break (or succeed as the case may be).
They didn’t even realize it but they were inadvertantly entering null chars after every letter as well and because they were using IE to test the output they didn’t realize that they had also found that nulls work in place of that as well. I documented it all and threw it up on the XSS Cheat Sheet. Still, to this day, I think the null char injection for stored Cross Site Scripting is one of the most powerful vectors to date, followed closely by things like the newline/carriage return/tab vectors. Interesting though. Thanks for the link!
July 5th, 2006 at 12:24 pm
Yeah, I spent a decent amount of time poking around that site, and found quite a bit of exploitable flaws. I found atleast three XSS vulns that would allow for the spread of the worm, and infact… did so with one of them; infecting nearly all the 1005000 some users in just under 15 hours. The site was down today for a bit, for what I suspect was some cleanup, plus many an account was removed for unknown reasons, and I can only guess it was in some feeble attempt to stop the worms (Thanks to skiddies, I was able to find a total of 11 variants of my code, in the wild). Because of that, they over-hauled their filters and basicly removed html from all user-input feilds except one. And that one, I’ve already found a way to exploit for worm related uses, and it only allows for 3 tags.
July 5th, 2006 at 12:50 pm
Thanks for the info, unsticky… I added a blog post about it with the exploit code Luny gave me.