Monday, October 25, 2010

XSS hackme challenge solution (part 2)

After revealing the first part of the solution for the XSS hackme challenge we'll discuss the second, last part. This time we'll talk about a IE-only vulnerability that allowed you to inject and run arbitrary Javascript code (XSS), but to properly exploit it we'll need:
  • a local web server (we'll need to host some pages)
  • Internet Explorer browser (6,7,8 will do)
SPOILERS ahead!

Dont-Text.tk - First Facebook scam with clickjacking disclaimer

Just a quick note, because it's just too funny. The guys responsible for the last Facebook Dont-Text scam launched yet another scam site - dont-text.tk. But this time they wanted to obey the law, so they included this disclaimer:
This website is not created or affiliated with Facebook in anyway. Trademarks, service marks, logos, (including, without limitation, the individual names of products and retailers) are the property of their respective owners. By clicking anywhere on this page, you acknowledge and you are giving full consent to use the 'like' feature of Facebook to 'like' this page and one other relevant page to promote the presence of this page on Facebook.
If you do not agree with the above terms, please exit this page immediately.

This must be the first clickjacking disclaimer ever :) By the way - the site is active right now - http://whos.amung.us/stats/n8r959nxkqe0/ stats page shows the propagation of the scam.

For those of you who are here for the first time: DON'T CLICK ANYWHERE on dont-text.tk page. It's a scam. Read the full scam analysis for more information about it or to find out how to remove it if you've already clicked it.

Monday, October 18, 2010

Dont-Text.info / FightingGuy.info facebook worm - full analysis

Today another Facebook worm utilising clickjacking attack is spreading - as for now it has infected around 7000 profiles (yes, we do have the stats :). It's spreading, as usual, as a link on your friends' Facebook pages with the text I will never text Again After seeing this!!:

I will never text Again After seeing this!!

There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)


Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):
  • happy-mc-meals.info - OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)
  • craziestguy.info - This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
  • stupid-dress.info - Girl Gets Kicked Out Of School For DRESSING LIKE THIS! OMG!
  • girls-secrets.us - 21 Things Women Can Do That Guys Cant!
  • nevertexting.info
  • never-text.info
  • crazyamerican.info
  • usabadguy.info
  • guy-girl.info
  • bad-meals.info
  • usa-guy.info
  • guy-fight.info
  • usa-fight.info
Update 2: The scam continues. This time the scammer uses dont-text.tk domain with a really interesting disclaimer (see full text).

See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.

I published the source code files for the dont-text.info worm, so feel free to consult them if you're interested in all the details. I will only discuss the actions of the worm from the user's and technical perspective here.

Friday, October 15, 2010

XSS hackme challenge solution (part 1)

Time to reveal the first solution for the XSS hackme. To recap - there was a webpage with a simple form where you could enter comments then displayed back to you. The challenge was to inject and run an arbitrary Javascript code. The hard part was that everything you entered was properly escaped, so for example:

<script>alert(/xss/)</script>

became perfectly safe

&lt;script&gt;alert(/xss/)&lt;/script&gt;

which was not interpreted as Javascript by the browser.

But still, the code had two vulnerabilities - one allowed for an XSS in Firefox browsers, the other - in Internet Explorer (6,7,8). Today we'll talk about the Firefox one (SPOILERS AHEAD!)

Monday, October 11, 2010

Test your skills with this XSS hackme (rev. 2)

XSS is a really nasty beast. It's been around since the 90s and we're still discovering new attack vectors, protection mechanisms, evasion techniques. It's not enough to simply "escape HTML output" (e.g. via htmlspecialchars() ) to get rid of it - there are always some tiny details that, when omitted, can cause script injection on your site.

Today I did some research on a rather less known XSS attack vector and I would like to present a small 'hack me' application - have fun (and read on for details)!

Tuesday, October 5, 2010

Serious security flaws in Facebook revealed today

Today some XSS & CSRF vulnerabilites in Facebook discovered by John Jean have been reported. These are already patched, so it's just educational material, but it's extremely interesting nonetheless. This disclosure touches various subjects, so I'd like to comment on these. I attach demonstrational videos, but I recommend reading the whole article - it's worth it.