PDA

View Full Version : xss exploit on msn.com



cryptonomicon
12-13-2006, 01:37 PM
I want to get someone's cookie, so I can log into his/her hotmail account with proxomitron.

First I wrote a php script to log files on a webserver into a website. Next I wrote a javascript to get the cookie, so the cookie can be written to the webserver. To test this script, I need to find an xss exploit on msn.com, but I can't find one.

Does anyone now an xss exploit on msn.com that can be used to get the cookie?

~~smart~fool~~
12-13-2006, 03:20 PM
if i recall correctly xss is to make the perform a task not grab info... you would need them to click a link

not much you can do with a cookie anyway

Moonbat
12-13-2006, 05:39 PM
No, an XSS injection is used to make the website think that the command is coming fromt the site's server. You can basically do whatever you can think of, as long as you have access to what your trying to do.

For instance, mike's XSS injection involving the spam will not be executed if I click the link while I'm not logged in. So if you don't have the privleges to do the action normally, it won't happen.

@crypto - http://www.securiteam.com/ has a whole list of vulnerabilities that may or may not have been fixed.

Ezekiel
12-13-2006, 06:09 PM
Failure to filter user input allows code to be delivered to a user's browser which was not intended by the website to be there. The code can perform any function the other code on that page is capable of - change page layout, edit form data, redirect to external website, submit forms, etc.

Two major security vulnerabilities which result from failure to filter user input are cross site scripting and cross site request forgery.

Cross site scripting (XSS) relies on the access of a trusted page on a trusted domain to local objects specific to that website, such as cookies. This data is only available to pages on the trusted domain, so website B can't simply deliver a script to the users' browsers which sends away their sensitive cookies. However if you have a XSS vulnerability, you can run custom code inside a trusted web page, and send away the users' data to yourself in whatever way you feel necessary.

Cross site request forgery (XSRF) is a term which describes the fact that some websites allow form data to be submitted from any website. However, even if a website only allows POST data from its own domain, a failure to filter user input compromises this security. You can simply inject malicious code which creates a form on the page directed at the target script, and submit it with javascript. This is what I used on this forum, and submitted users' forms directed at newthread.php. Any website with an interactive messaging system can be affected.


I want to get someone's cookie, so I can log into his/her hotmail account with proxomitron.

You should really try to understand the subject instead of following that outdated tutorial from net-force.nl. There are many more ways to edit cookies interactively.


To test this script, I need to find an xss exploit on msn.com, but I can't find one.

Does anyone now an xss exploit on msn.com that can be used to get the cookie?



If anyone found one, they would keep it to themselves. They would certainly not post it here.


If someone posted such a vulnerability publicly, it would be fixed within a day.


Try using this search (http://www.google.com/search?hl=en&lr=&as_qdr=all&q=+site%*Amsn.com&btnG=Search) to find vulnerable subdomains of msn.com. Look for older pages which haven't been updated in a long time.

cryptonomicon
12-14-2006, 04:38 AM
@smart
Let the victim click the link is not a problem, and proxomitron can use the cookie to fake iexplore

@moonbat
Thank you for the link!

@mike


There are many more ways to edit cookies interactively..,

Like?




If anyone found one, they would keep it to themselves. They would certainly not post it here.


I agree, but maybe someone will pm me a hole?




If someone posted such a vulnerability publicly, it would be fixed within a day.


That's not true. History tells us that it can take weeks/months for a hole has been fixed



Try using this search to find vulnerable subdomains of msn.com. Look for older pages which haven't been updated in a long time</quote>
thanks!

Thanks!

Thank you all for the reply's!

Newby_Programme
12-14-2006, 05:47 AM
this might work get a Cookie Editor get your cookie and the victoms cookie ope the editor up look for the myspace.com just type it in and itwill come up cause your cookie is logged then replace your cookie with the victoms cookie then open up myspace.com and you should be logged in as the vitcim.

Not %*00 sure, but it might work. Hopefully :P

Ezekiel
12-14-2006, 12:48 PM
@smart
@mike

Like?


Like Add 'n Edit Cookies, a Firefox extension. The extension currently doesn't work for Firefox 2.0, but all you have to do is edit one line of the file for it to work, like I did.



I agree, but maybe someone will pm me a hole?


If you expect people on this forum to both have the knowledge and luck to discover a vulnerability in msn.com... well, you expect too much.

Your best bet is to look yourself, and definitely resist the temptation to Google for 'msn vulnerability'. If something like that can be found by Google, it has been fixed long ago.

Other than that, join some of the prominent security mailing lists (bugtraq, full disclosure) if you want to be the first to hear of the discoveries. As soon as they hit the lists, they are fixed fairly quickly.



That's not true. History tells us that it can take weeks/months for a hole has been fixed

In some applications, but not MSN or any other major email provider - there is too much at stake. If we look at Windows they release patches for software vulnerabilities within weeks of disclosure; the MSN vulnerability discovered by net-force.nl was also fixed quickly. It depends on the publicity afforded to the vulnerability, how quickly they fix it, and how quickly they can apply the changes. No less than a week for an application with so many business responsibilities.

If you plan on searching for vulnerabilities, you need a very good understanding of web application security risks in addition to simply knowing the languages. I have searched on all the known MSN domains and found nothing - what I think you need to do is discover hidden subdomains of msn.com (maybe by use of a brute force discovery tool?), because they are usually not meant to be seen and can totally lack security (if for testing, for example). I found an old page on another webmail service which could lead to cross site scripting, so it's not impossible.