Sunday, December 24, 2006

MySpace Non-Alpha-Non-Digit XSS 0day

It seems that MySpace has finally understood the issue here, which is good news, but the way their filter is written is working against them, or at least thats what I'm guessing from the results I'm getting.

Anyway, here's the exploit:

<body onLoadmoz-binding="alert('XSS');">

As you can see if you run that moz-binding is changed to .., and we are left with the following:

<body onLoad..="alert('XSS');">

So from this I think we can quite safely assume that they have a few separate modules which have their go at the code in order, and if something gets changed to something dangerous, but the module that would filter that particular dangerous code out has already run (the non-alpha-non-digit filtering module), then the code is allowed through.

Isn't black box auditing fun? You end up making guesses that are quite often so very wrong but fit your results, :p.


v wall said...

Hey nice find there, Seems like once again there filter plays in the wrong direction.

kuza55 said...

Yeah, it definately does, but this is what comes of having to have your developers write security software without consulting anybody. Or so I'm guessing.

I wonder; if there was an Open Source ColdFusion XSS Filter, do you think MySpace would use it?

v wall said...

Hmmm as a matter of fact i think they would.

For some reason I could imagine the developers all working on the myspace XSS filters all at the same time with out letting the other developers know what changes they was making or even letting the other developers know they was working on it.