MySpace XSS Obfuscation Madness
This is perhaps one of the weirdest vectors I’ve come across. It took me a while to figure out why this was happening, but after some time it became clear. SystemOfAHack sent me this vector a few days ago, but I was unable to get all the peices put together until now. MySpace allows users to enter HTML as we all know. But due to an open ended div tag and overwriting a class with a set id that MySpace uses, SystemOfAHack was able to execute XSS.
The part in bold is what he was able to inject and you can see what it does to the surrounding code:
<div class=x=x"+setTimeout('alert(/xss/)',0)+"; kill="<br>
…
<DIV style="width:80px;height:20px;" ID="UserDataNode0" CLASS="DataPoint=OnlineNow;UserID=71505468;"></div>
After rendering the page the DOM now looks like this:
<div kill="<br>
…
<DIV style=" width:80px;height:20px="" id="UserDataNode0″"class="x=x"+setTimeout('alert(/xss/)',0)+";"\</div>
Then if you look at http://x.myspace.com/js/myspaceJS024.js in the _OnlineNowNodeParser_locateNodes() function you can see that it does an eval on the contents of the class, which now have been overwritten by your vector. Verrrry tricky. I love this kind of thing.
January 25th, 2007 at 3:46 pm
lol @ RSnake, I kept saying the quote marks at the end of the vector aren’t part of my input :p This/these quote marks are the ones normally surrounding one’s headline. The vector goes as far as: kill=
-SystemOfAHack
January 25th, 2007 at 4:07 pm
Oops, sorry, put the </b> in the wrong place. Fixed.
January 25th, 2007 at 5:45 pm
I have phpbb forum and someone is upload html files in my forum: - images/i/example.html !!!
How him is one worked and how security its ql for this attack…
Its maybe xss attack ????
Please help me
January 25th, 2007 at 6:10 pm
@Peter, that’s way off topic and this isn’t exactly the right place to ask that kind of question - feel free to ask on the forums though: http://sla.ckers.org/ I’m sure a number of people would be willing to help.
January 25th, 2007 at 8:28 pm
@RSnake sorry and tnx for link
January 25th, 2007 at 11:15 pm
How about a clearer explanation of what happened?
I guess you want us to try to hack myspace in order to figure out what’s going on?
January 25th, 2007 at 11:18 pm
UserDataNode filters.. so then it goes ..0
January 25th, 2007 at 11:23 pm
er.. nvm.. haha.. i didnt read good enough.. i went straight for the code.. but my question is.. where to put it.
January 26th, 2007 at 12:53 am
I see DOM based XSS vectors on a daily basis. The problem with them s that the server software is not vulnerable at all, it is the JavaScript logic. Conventional ways for fighting this type of Attacks are not working. Developers need to ensure that no user supplied information is evaluated or written into the DOM without being sanitized first.
January 26th, 2007 at 6:26 am
That reminds me, I found a way to bypass the MySpace filter for the term eval(). I posted it a little while ago in the forums, but the link to the PoC is here: http://xssxss.1111mb.com/xss/xss.html [view the source]
Though my setTimeout() works fine too, the dropping of a few chars can make all the difference, especially considering the headline input is truncated to 255 if over. I believe that was the figure. Oh, when testing I also had to change the headline input element to a textarea to get the eval bypass to work there are probably easier ways though.
January 26th, 2007 at 9:55 am
@Tom, I’m not sure how to make that much more clear other than hacking MySpace and showing you the code. That’s the code on the page. When you input:
<div class=x=x"+setTimeout('alert(/xss/)',0)+"; kill=
It obliterates much of the rest of the page because of the following quote on the page, and overwrites the class variable of a div tag far below. The id of that tag contains a keyword that the JavaScript function that MySpace wrote knows and performs an eval on. If you look at the code it should be fairly clear.
January 26th, 2007 at 2:56 pm
Probably would have been necessary to mention it though; it goes in the Headline section of a user’s profile. The the last quote from your headline becomes part of the vector, though it would have been just as easier if the last quote was HTML encoded. If you use MySpace and have read this article about the original userDataNode exploit:
http://www.silent-products.com/advisory4.5.06.txt
… then you should be able to figure this one out
I believe the finders of that one are due some credit, without that I would never have got the urge to look for utilisation of the userDataNode filtered keyword.
The basic thing here is, there’s an JS file that gets all tags with the ID userDataNodeN [where N is a number], it then gets data from the class attribute which it eval()’s. To patch the original exploit myspace added /userdatanode/ to it’s filters… I just found a way to access a userDataNode ‘entity’ present in the profile, and crafted a class attribute which overwrites the default one :p
I havent had a look yet, but because a userDataNodeN can be found around any user’s image (the one’s linked to their profiles, where you may see an “online now” image), it might be possible to post something crafted in a similar manner to a user’s comments section and have JS run on their profile. This would depend on whether they still have “HTML allowed in comments” on, as is the default. I must check this up :p
January 27th, 2007 at 4:25 am
My question is .. what place do you put the
February 1st, 2007 at 5:33 am
It appears, as of today, this vector has been blocked by insertion of another div tag (by MySpace) between the headline and UserDataNodeN containing an attribute with a value inside double-quotes. This means the aforementioned kill attribute does not ‘kill’ the necessary portion of HTML in order to have user content evaluated by the linked JS file.
Damn shame too, ’cause I got the headline script to read from other areas in the profile, which meant I had a lot more input space for executable JS.
February 7th, 2007 at 4:01 pm
http://www.silent-products.com/advisory4.5.06.txt
Thanks for further proving my point in the conclusion of my article on the javascript vuln