Sunday, November 05, 2006

More MySpace XSS

I don't know whether to feel sorry for MySpace, or whether to laugh. The amount of XSS holes in MySpace is nothing short of outstanding.

And the sad thing is they've clearly tried to fix as many things as they've been able to find, but some things have fallen just short.

Anyway, the flaw I found this time around is that MySpace doesn't know that you can have an underscore (_) between an attribute name and the equals sign, and have it being valid, like so: (Note: This only works on Firefox)

<body onLoad_="alert('XSS');">

But the interesting thing is that they have got a regex which dissallows everything which looks like on*= (obviously it doesn't look anything like that, but I'm not going to bother trying to write regexs), and yet they've done it in such a way that they need to know about what characters are allowed, essentially creating ablacklist of chars which they won't let you use between an attribute name and an equals sign. Why anyone would create a blacklist for that amazes me.

2 comments: said...

Well after reading about the method you used with body onLoad_="alert('XSS'); i went to habe a play to see if they was fixed up, sure enough they was.

So i was trying diffrent methods an one input i used was body onLoad\_="alert('XSS'); which i though worked as XSS poped up in a box so i returned to the profile to tes more, only to find the code had been changed by myspace.

It seemed myspace had filtered the code BUT in effect created a working XSS vectore which was body onload.._="alert('XSS')"

i was trying to find a emall address for you but didnt see one (maybe i missed it) so i had to post in a comment insted. Well hope ya find this intresting, if so give me a mail.

./v wall

kuza55 said...

Interesting find. I tried doing similar things (i.e. trying to place dots between the attribute name and the equals sign) before but they always tended to keep replacing malicious tags recursively, or so it seemed.

And not putting an email up was an oversight on my part, I'll find somewhere to put it soon enough, in the mean time I'll send you an email.