Do You Trust The Link?

[alexander]

Lets discuss this a little bit.

 

You are a myspace user

You LOVE your myspace account

You WANT to make it look cooler

 

and then one day, me-like sends you a link to a site that has the COOLEST myspace layout, you have ever seen....

 

do you open the link?

 

can you resist the temptation of missing out on something?

 

http://www.myspacelayoutspy.com/search.php?cat=all&type=layouts&query=%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6B%61%70%63%73%66%6F%72%64%2E%66%72%65%65%62%6C%6F%67%2E%68%75%2F%46%69%6C%65%73%2F%62%61%7A%65%72%2F%72%6F%66%6C%2E%70%77%6E%74%2D%73%70%72%61%79%2E%67%69%66%22%3E%3C%2F%69%6D%67%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%20%28%22%59%6F%75%20%63%6F%75%6C%64%20%73%6F%20%68%61%76%65%20%62%65%65%6E%20%70%77%6E%74%21%21%21%20%49%20%6D%65%61%6E%20%77%68%79%20%64%69%64%20%79%6F%75%20%65%76%65%6E%20%63%6C%69%63%6B%20%74%68%69%73%3F%22%29%3B%3C%2F%73%63%72%69%70%74%3E&x=45&y=13

 

:doh:

[Thunderbird]

I couldn’t help myself, I had to see. Beside's I trust you. You Kazakhstany kook.

[freeztar]

I always check the link of suspicious stuff. Normally, I would trust you to not steer me wrong, Alex. This post title sets off the alarms though. :)

 

So the link is:

 

http://www.myspacelayoutspy.com/search.php?cat=all&type=layouts&
query=%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F
%2F%6B%61%70%63%73%66%6F%72%64%2E%66%72%65%65%62
%6C%6F%67%2E%68%75%2F%46%69%6C%65%73%2F%62%61%7A
%65%72%2F%72%6F%66%6C%2E%70%77%6E%74%2D%73%70%72
%61%79%2E%67%69%66%22%3E%3C%2F%69%6D%67%3E%3C%73
%63%72%69%70%74%3E%61%6C%65%72%74%20%28%22%59%6F
%75%20%63%6F%75%6C%64%20%73%6F%20%68%61%76%65%20
%62%65%65%6E%20%70%77%6E%74%21%21%21%20%49%20%6D
%65%61%6E%20%77%68%79%20%64%69%64%20%79%6F%75%20
%65%76%65%6E%20%63%6C%69%63%6B%20%74%68%69%73%3F
%22%29%3B%3C%2F%73%63%72%69%70%74%3E&x=45&y=13

 

Hmmm...Should I open it? No. Anything with that many percentage signs has to be bad.

[alexander]

Ok, so i should be more clear, this has nothing to do with you trusting me as the person who sends you this. The question is, would you trust a link for a legit website like that?

 

T bird, i went out of my way to make sure that that was safe, the question is, if you saw this come from say a your friend's email, would you check the link and decode hex, or would you just blindly follow the link?

 

 

Freezy, the link could also be written as:

http://www.myspacelayoutspy.com/search.php?cat=all&type=layouts&
query=
<img src="http://kapcsford.freeblog.hu/Files/bazer/rofl.pwnt-spray.gif">
</img>
<script>alert ("You could so have been pwnt!!!
I mean why did you even click this? ");
</script>&x=45&y=13

 

This is an xss vulnerability, o wont claim to discovering it though, because i didn't but its present on a lot of websites, and rarely fixed.

 

I imed the link to a friend of mine and he brought up an interesting point too. He said, that this seemingly juvenile play may not seem a serious problem for some people, and whether he sees all seriousness of the exploit, my demo may not quite convince people that this is a BIIG problem.

 

So what can one do with an XSS exploit

 

As you can see, i can insert arbitrary client-side code into the link, and have it execute. This allows one to firstly, get cookie cache on a particular system, which potentially alows them to now log into a particular account, without ever worrying about a password... and one can change the password, or other info to now overtake the account, well or in case of a social networking website, to fully deface the page...

 

inserting an image is an obvious thing, but what if one inserted a MySpace login form, under the "Preview this theme on your page:", valid myspace logo, maybe a security note, and I guarantee that 9/10 people would willingly give away their login info and never even suspecting anything...

 

that could have as easily been another webpage, where such a flaw would alow me to create a login page for that particular website, and once you hit the "log in" button, you would actually log in! Just that the person who sent you the link would still have your credentials...

 

The amount of damage one can do with this vector is quite large, and varied, and yeah, while you get a nice "you got pwnt" message with the demo, it could be a lot more serious.

[freeztar]

Thanks Alex, that's good to know. :)

 

For the people reading this wondering how to utilize this knowledge, I recommend practicing with Alex's hex. What I did was to copy and paste the hex (%3D%65%...) into Word and used the replace command to replace all of the "%" with ":". Next, go to this site and enter the new text into the hex field. Click on "HEX to ASCII" to reveal the code.

 

So Alex, is it possible that one would only need to know certain strings to look for? If so, it should be possible to create an excel worksheet that checks a link against all potentially hazardous strings (such as 3c:73:63:72:69:70:74:3e).

[Jay-qu]

What is the exploit I dont get it.. when I hover over the link firefox showed me "......"You could so have been pwnt!!!

I mean why did you even click this? "......" So I get the point and clicked it anyway :)

[alexander]

firefox translates hex in urls to help users identify potentially bad links, they actually like security, and that's what i love about FF.

 

not the case with internet exploder though...

 

What is the exploit I dont get it..

search term is the exploit, jay... they blatantly output the search argument to their page, which allows one to arbitrarily insert code into the link, and thus into the page... i could have as easily linked it to a script so you would not see all that in URL, but what i am trying to say is that if you see any code in a url, don't click it ;)

 

Jay, you really dont think that myspacelayoutspy would have a page that will load that image and generate that popup, do you?

[alexander]

So Alex, is it possible that one would only need to know certain strings to look for? If so, it should be possible to create an excel worksheet that checks a link against all potentially hazardous strings (such as 3c:73:63:72:69:70:74:3e).

should be the responsibility of the website... yuo just encode all the special characters that way they are displayed as those character on the website, and not executed as code...

 

faster way to translate, is to just paste it into hex field here TRANSLATOR, BINARY and click decode ;)

 

You could probably use a link checker... anyone run new avg? they have a link checker, did my link check out as a potentially bad link?

 

We could write an FF extension to do this too...

[Moontanman]

I clicked on it! eeeww, I feel so dirty and used, I think I'll take a shower....... I'll nevver trust again:doh:

[alexander]

Thank you moon, one more person who will practice safe sex... errr, i mean internet, safe interwebs...

[CraigD]

As I understand cross-site scripting attacks, a script like this isn't really dangerous, because javascript can't see your local file system unless it's from your local file system (ie: a "file:" URL in a pane, anchor, image, etc.). So to do great mischief with one, you've got to get something stored in you local file system that the URL can reference.

 

Do I err in my thinking?

[alexander]

greatly... you dont need to have local filesystem access to do great damage.

 

Damage can be done im many ways:

stealing cookies - now alows an attacker to login to your account, without actually logging in

recoding, say, a login form, to send the data to both the website, but to first store the credentials on a server elseware

you could use the code to call up active x scripts... and we all know how secure those are :eek_big:

 

i mean for something that simple, it can be a VERY dangerous thing. Back when it was discovered, places like Bank of America were volnurable, can you imagine how much damage could be done by getting login data from there?

[nikgod]

As I understand cross-site scripting attacks, a script like this isn't really dangerous, because javascript can't see your local file system unless it's from your local file system (ie: a "file:" URL in a pane, anchor, image, etc.). So to do great mischief with one, you've got to get something stored in you local file system that the URL can reference.

 

Do I err in my thinking?

 

In a word, yes.

 

While javascript can't directly access files on your local drive, they can access associated cookies as has been pointed out. They can also modify ANY part of the website in the browser, or all of it. Imagine that instead of displaying a picture and popping up a dialog that it changes the login submit button to send the login data to some other place. Or imagine if it changes a link to link to a page with a virus or worm. All of this is possible in the same way, and it's not even remotely difficult to do. XSS is slowly being recognized as a threat, much as SQL injection was in the past. Still, just as there are still many sites vulnerable to SQL injection, there are a very large number of sites affected by XSS, and much more mischief can be accomplished now that javascript has become a vital part of the "Web 2.0" craze and disabling javascript becomes a less reasonable option.

[GAHD]

firefox 1.5 automaticly translates those for me in the bottom bar on hover

Tranhslated:

<img src="http://kapcsford.freeblog.hu/files/bazer/rofl.pwnt-spray.gif"></img><script>alert("Yuo could so have been pwnt!!! Imean why did you even click this?");</script>&x=...

yet another reason not to switch-up

[CraigD]

So to do great mischief with one [XSS attack], you've got to get something stored in you local file system that the URL can reference.

 

Do I err in my thinking?

greatly... you dont need to have local filesystem access to do great damage.

In a word, yes.

I think I missframed my question. Retrying: can you do great mischief to a reasonable sensible user with an XSS attack?

 

What I don’t understand about XSS attacks is how they are any worse than simply spamming of keyword padding to attract visits to a simple malicious site. Cookies and other client-side data visible to scripts aren’t intended to store authentication data. No even mildly secure authentication-requiring website in my experience uses cookies in such a way, and a site such myspacelayoutspy.com, which allows a script to be passed via a HTTP GET or PUT is just a wild, dangerous, foolish place.

 

In short, it seems to me that for a non-malicious site to be vulnerable to XSS attacks, it must implement intentionally perverse features, and even then, unless your browser allows such unwise actions as the unconfirmed installation of ActiveX controls, or you are ridiculously credulous when confronted with a plain phishing attack, the possible gain of such attacks is nearly nil. If you’re wanton enough to be any of these, there’s little hope for your online security, and simple spam-promoted, blatantly fraudulent sites are as effective as scripting trickery.

 

Though I’ve no reason to doubt the claim that XSSs are the largest category of security abuses on the internet, it seems to me more an indictment of end user behavior than permitting http scripting events or simple inline scripts (of why, when nearly every browser existent supports the body element’s onload attribute, inline script elements are even allowed, I’ve yet to hear a good explanation). Though I personally despise the very concept of browser event scripting – the effort and investment the world’s put into it would, IMHO, have been better spent on modest enhancement and standardization of html form elements and attributes – and consider client-side data cookies one of the worst, ad-hoc, ideas ever implemented in a browser, their widespread existence is effectively a fact-of-life which must be endured. As in all walks of life, some people will just endure them with less attending grief than others.

[Jay-qu]

firefox translates hex in urls to help users identify potentially bad links, they actually like security, and that's what i love about FF.

 

not the case with internet exploder though...

 

 

search term is the exploit, jay... they blatantly output the search argument to their page, which allows one to arbitrarily insert code into the link, and thus into the page... i could have as easily linked it to a script so you would not see all that in URL, but what i am trying to say is that if you see any code in a url, don't click it :eek2:

 

Jay, you really dont think that myspacelayoutspy would have a page that will load that image and generate that popup, do you?

I see where you are coming from now, but I am always cautious to trust your russians anyway jk

[alexander]

Gahd, how is that another reason not to switch up? FF2 and FF3 both do that... i've said so above somewhere, too...

 

There's a reason to switch from Internet Exploder, because it does not translate and thus potentially endanger :shrug:

 

but I am always cautious to trust your russians anyway

point is not to trust ANYONE, not just us, USSRians