 My name is Rick Deacon. I'm going to be talking about hacking social lives in my space Apparently a lot of you a lot of people care about that and I didn't expect to turn out that's here right now So excuse me if I'm a little nervous a little bit about me Me and my buddies came up here. We're from right around Cleveland. We lived a little west of it I'm an up. Yeah, exactly Cleveland really crappy awesome I T specialists at a CPA firm. I just I'm still in college. I just turned 21 space Sorry, I'm straight edge. I It's basically just a job I have right now in between college and a real job as a at a security firm or something like that It's a great job, but I work in Beachwood. It's in the east side of Cleveland I also go to college. I just attend a community college for a networking degree I've been in doing IT stuff for seven years and security for like four obviously I was mean that was pretty young when I did it So I wasn't real serious about it, but I still been doing it for a while. I had an article published In 2600 talking sort of about the same thing that I'm really talking about today Not exactly because didn't give the details and the exploit that I'm going to be talking about isn't actually Anywhere near what I posted there that one was patched. This one is not Other stuff I'm into his cars and music not that you guys care Well, basically what I'm going to be talking about is if anyone doesn't know what my space is I know it's a really small site and everything so I'll be talking about little what my space is. I'll be talking about what cross-site scripting is How to evade the filters on my space for cross-site scripting session information the tools the current zero day and a demonstration with my friend Dan over there Ways to prevent cross-site scripting attacks and then I'll take your questions and closing Obviously, I'll be at the Q&A room for anybody else who wants to answer ask me questions that I won't be able to answer Basically, if you don't know anything about my space, it's one of the largest social networking sites I believe it actually may be the largest It's driven by a lot a lot of dynamic web applications and that's what gives it its popularity and that's what give it It's security holes Obviously it has a major impact on today's society. I mean obviously you guys are all here to see it a lot of the Press is interest interested in this story It's a it's been in movies. It's on the radio. It's on TV shows. It's mentioned everywhere now. It got pretty huge Other thing about it. I mean there's there's things that go on my space obviously a lot of your personal information It's a lot. It's a good source of social interaction Like I said, it shows up everywhere and it's also in this presentation if you guys didn't know The security involved in my space it hits it's vulnerable to a lot of things only be talking about one But just to mention a few it's vulnerable to social engineering obviously Fishing is the biggest one right now I'm sure if you have a my space you've seen the fishing links with ads and they take you to a page that looks like a Fake log in you type in your information and someone has it You can do packet capture over a network, of course I mean there's there's been viruses that have spread via cross-site scripting and whatnot spam The well a couple well-known ones Sammy virus. I'm sure everyone knows about that infected a few million. I believe that changed their profiles Had it advertised Sammy got famous for it The quick time virus which was relatively recent used cross-site scripting and quick time to add the quick time page I mean the quick time movie to your page which propagated to all your friends and that was a pretty rather large virus, too it was Subject to the windows made a file vulnerability, which I'm sure everyone's aware of and the fishing links I just talked about that's some of the well-known stuff at this point My water disappeared. Oh, it's down there Cross-site scripting in case someone didn't know I'm not gonna talk too much into it If you really don't know all that much about it. You want to do some Google or you'll find plenty of it It's a vulnerability that's found in many web applications in many websites. I mean some of the biggest websites have had it I mean hotmail had it for a while Google had it Many I mean tons of sites anything to find it some of them really are kind of useless because you can't really do too much with them But other ones like the one I will be talking about you can do a lot with What basically it does is allowed it allowed code it allows code injection into the URL or into a link or anything like that To basically you malform the URL with HTML or JavaScript to do whatever you so choose It could be used for a fishing or browser exploit exploitation as far as Fishing goes. I mean you can use it to pass along fishing links and browser exploitation You can you can actually you know sometimes you can work things into it to actually crash browsers and do session hijacking Which is what I will be talking about and cookie stealing and It can be identified very easily you can find cross-site scripting holes with minimal effort just a little bit of time wasted This is the easiest way that I found there are many other ways and I'm sure I don't even know of them all But this is the easiest way and I'd like to state also that I'm not a programmer by any means I mean any anything that I do I basically just learned but I'm not a programmer. I absolutely hate it. It drives me crazy So everything that I do here is basically just me learning things I don't know any I don't really know any languages backward and forward. So if you have questions about that I'm not the guy to ask What you want to do to try to find XSS holes is just to insert code into the application like the link I have below. I'm just the made-up went up trusted site org and then the search CGI and the criteria Normally the criteria would be whatever you're searching for that you may type into a text box But in this case you can see what I put in there the script and what that would do would It would pop up the alert that said lol internets and then that would obviously mean that it's open to cross-site scripting Because you injected JavaScript right into the URL which should not be able to happen The link structure above can be used to do anything also I mean that you can do that same where it's bolded there you can do that and put anything you want in there You could have it run a malicious script You could display a cookie by doing instead of saying alert in the word I put there in quotes you could have a document that cookie and it would display the cookie in Firefox anyway Like I said if you really if you really don't know too much about a cross-site scripting You want to just go on Google there are plenty of sites are Wikipedia the wiki on it isn't too bad So I mean you could take a look at that and learn a good bit a lot of forms and whatnot The most widely used purpose for XSS whole exploits is for in my opinion. It's for cookie stealing and session information That's basically what the point of the what I'm talking about is at least on my space. That's the best use for it Basically in a nutshell the attacker sends an authenticated user a link that contains cross-site scripting The link takes the author can authenticated user to a site that will log their cookie the attacker reviews the log file and steals Information is necessary. That's basically just in a nutshell of what the what you can do with the exploits And obviously I'm going to go into depth with that My space obviously uses cookies the way it works is If you once you log in you get the cookies so you don't have to re-authenticate every time you true You go to a different portion of the site without the cookies You would have to re-authenticate every time you click the link to go to like the music pages or a forum or something like that Obviously everyone knows that It contains the session information and login information It also contains sometimes some it's not it's not a hundred percent that it even contains session information depending on What browser the person is using and for some reason I've seen it happen actually where They could be using the same platform of someone else, but they don't have the session information in their cookie It's it's it's sort of random, but for the most part it works perfectly fine Also, the email address is posted in there and past search criteria like for some reason It shows the things you've searched for last and the last time you clicked the time and date time stamp It may contain encrypted password. I've never actually delved into that so don't quote me on it But I'm pretty sure I've heard somewhere that you can decrypt the password out of the cookie I never really cared to do that. So I never did The session information can be used for a form of session hijacking obviously session hijacking when you usually hear the word you think of You know like like spoofing over a network So you you obtain the information via that way and you take over their session like on a network I use it in this example because it sounds good Basically, and it's it's you can do it on the web just as easily as you put in a network It's the same sort of idea just a different implementation And my space contains hundreds of undetected and undiscovered XSS vulnerability So the one I'm going to be talking about is one of many and there are thousands that have already been patched They're fairly decent at patching them in my opinion. I mean some people will disagree But for the most part they patch them relatively quickly quickly when they're reported I've I've known about the 30 personally that were up and then you know week later I would go see if they're still there and they weren't there anymore My space deployed cross-site scripting filters to try to limit the amount of information that can be Stolen using cross-site scripting and it keeps you from finding them It looks for you know embed tags So, you know for a while you could embed flash right onto your page and you can't do it anymore I mean you still can in some manners, but other times it kind of scans for it in script tags What it does it just sensors these tags into a period period it instead of writing script It just takes the word script and turns it into two periods and that's the filter they have It has it has closed and hindered many attacks and it gets kind of annoying The filter isn't consistent though it changes per page for some reason they don't patch every single page from what I found Every every single page doesn't have the exact filtering depending on I guess how new it is or how it was how it was designed I'm not real sure and Some some portions of the site are more liberal than others with the way you can type in sometimes You can do embeds into certain areas all the times you can't Just the way it's set up. I'm sure it's because it's so huge Luckily for us though the filters are easily avoided Using in coding of some sort obviously what I have the example is ask you to hex or enocode and actually you can take What it says like they're the simple coding of the carrot script carrot It just it codes decodes to that and that would evade the filter that would because it doesn't see the carrots It doesn't it doesn't It doesn't turn the script the word script into two periods because the carrots is what it's looking for at the same time sometime sometimes oh Sorry Sometimes the Sometimes it does actually filter even though you can encode the carrots it depends on on the page like I said other ways to avoid it are Simple things like actually putting line breaks in between like say the SC and the RIPT That would be like if you SC and then you would hit enter a few times in the code and actually would evade the filter in that manner too It's it's there's there's so many of those you can it's another thing to Google and find there's there's a couple good pages that show Literally like 50 to 100 with explanations and you can try them The evasions have been passed on certain pages though with With like I said with the line breaks and with the encoding sometimes the encoding doesn't work It's basically just a crapshoot when you think about it because there's chances. It could work chances. It could not The best way to do it is just trial and error you can go through and try whatever filters you can come up with in your head Or on a web page and see if they work And there's the site they was that that's the site I was talking talking about that has a really good list I'm sure many of you if you've talked about ever ever looked up this before then you know that site I'm gonna talk about a previous exploit to lead into the exploit that I'll be talking about this one was in the browse Function of my space which basically is a user search you can search By like your area you can search within 20 miles and whatnot this it was found using trial and error The exploit that was used by me and by others to steal cookies and a hijack current user sessions like I talked about take Take full control of the user and it has been patched this one This is the encoded URL for that exploit obviously you can see I encoded the The carrots and various other things into hex but basically it says you know document that location is Your web server your cookie stealer and then it adds the document cookie to your log file Basically is what that says And it's basically what I said here, too You're it's encoded using hex the XSS actually begins after search request equals The JavaScript points to a PHP file the PHP file records Document that cookie to a log file and it could be easily replaced with a redirect to malicious code on a foreign domain or anything like that Any anything you'd want to you could run a malicious script right through it You don't even need to redirect if you didn't want to that the way that's the way it worked This was an early this was an early cross-site scripting hole I mean it was found and it was Like exploited majorly for a while and then my space patched it, but it was it was a while ago Probably maybe even a year This it's kind of hard to see on the page, but this is actually very difficult to see but this is basically my Log file that's all this of cookies that the blank space are just smaller cookies But I mean you can see if you can see the scroll bar. It goes up and down rather long I all it takes is Some time to get people to click it and you get their cookie I'll be talking about It's it's broken down into various parts when my space broke down the cookie for us and makes it kind of easy And like I said, it contains last display name last logged in logged in email last search page and various other things Depending on what the user just did on my space It contains the current user session, which is called my user info and that It made it kind of easy for us because my user info is generally the cookie of choice for session information happens to be in this and But the little the limitations with this overall is that it only is valid until the I mean It's only valid while the person is logged in once the person logs out the cookie dies I never tried to actually extend the life of the cookie to see if it would last longer But as far as I've never really delved into that either But I know just if they log out the session information died So if you try to use the my user info it just fails it doesn't work There is an example of my user info. I know all of you guys want to write that down. So go ahead and do it real quick I'll get I'll give you a minute And then that that's actually the user session right there That's usually what it looks like it ends with a semi colon. I didn't put that in there But usually you can tell the end by a semi colon It absolutely means nothing to me. I have no idea what that says Actually, it's funny I just read a couple days ago that you can decode that and it actually turns into something I don't remember where I read it or What I was searching for when I found it, but I heard that actually is encoded into something. Don't ask me what Obviously, like I said, it can be used to hijack. You must have you must have a myspace account to use this So all the people that don't have one because they think it's too lame You're right, but you need to have one to in order to do this obviously You once the user has clicked through the encoded link that I showed earlier That's how we get their cookie and obviously like I said it adds it to a log file So once they click it all you have to do is review the log file Simply copy and paste the stolen my user info into your current myspace cookie using a cookie editor of your choice I mean if this this actually I think only worked in Firefox I haven't used internet explorer in a while, so I haven't even tested it But this one worked in Firefox, and that's what I use. I use add and edit cookies I'm sure many people have you heard of it before but that's what I use for Firefox and You know are the user once you refresh your browser all you have to do is refresh and you're taken to their home page And you are greeted as them. It's really as simple as that Now I'll be talking about the zero day I don't want to get too ahead here because I talk quickly and I obviously haven't killed that much time yet It has been reported before I get started here because I know there's legality issues here with myspace and other things like that But this has been reported and it has been for a few months. They haven't patched it I'm not sure why obviously this is the main point of this presentation and why many of you are probably here But I wanted to let everyone know that this has not been patched, but it has been reported and anyone that says it hasn't been It's lying. It's been reported by multiple people and I know it It involves the main generalization It doesn't perform any sort of filtering if you cross domain link It's kind of a weird concept to talk about just by saying it, but you'll see it in the next few slides For some reason it passes any JavaScript that you put on your web server to their web server and it can use cross-site Scripting just to do it like that What you need to do is put a page with an iframe containing myspace on your web server of choice and Use cross-site scripting to steal the cookie all they need to do is click the link and since it is on your domain It can be easily hidden as anything you could call the page You know Slide show or my pictures or goat see if anyone likes goat see And if they're like, oh wow, I like goat see a lot and they're like, oh, wow, I just clicked that. Where's my cookie? You know stuff happens This is the code that you need to put in your iframe You can take a look at it. It just basically is Like I said, I'm not a programmer But I know I know what that says basically it takes the the iframe the cookie from the iframe and logs it to the PHP file. I Just used a random example for the server This this all I believe is included in the CD that everyone has gotten when they paid their hundred dollars. So if you If you want to use that it's it's on the CD I didn't I did not hiding anything in this presentation You guys can see everything that I've used and everything I will use. I also want to mention that The the exploit that I'm talking about right now was Not exactly found just by me So I don't want anyone to get anyone the wrong idea that I've been taking credit for this by saying it There was a group of people that found it and I sort of just expanded on what they found And it was a group effort type of thing on a forum that I won't mention but it basically It was just found by multiple people so I'm not trying to steal credit from anyone where it deserves Credit I just kind of expanded on it and took what I knew previously and added to it That will steal the user's cookie right there because I obviously you saw it sold the cookie using taking the frame Taking document that cookie and logging into a file It's more of a general vulnerability because it doesn't directly involve putting the cross-site scripting in a MySpace link and staying Just in MySpace obviously you have to go to this other web server to find it to actually use it but the Fundamentals of cross-site scripting are there and anyone can learn tons from just that the PHP file calls a Calls a text file and just writes it writes the cookie to it just opens it writes the cookie And you can actually obviously if you didn't want to make the page looks so conspicuous because I mean I never cared because I don't send these things out to people when I find this stuff I don't I don't use it for any I mean, it's just I don't have any reason to hack anyone They're MySpace. I mean, it's MySpace. What do I want with that? I have my own. I just know how to do it, you know But I so mine is plain and simple just has a little Iframe MySpace in it and then it redirects to my cookie logger and you get a blank page But if you wanted to after the cookie logger you could have it redirect to Back to MySpace homepage and they wouldn't even know like anything happened They see the iframe for a moment and then it would disappear or you could even make the iframe so little You could make it like two by two pixels and then you would you wouldn't even see it and then it would go to the next page Really up to you. I never Messed with how it looked. I don't really care This is the PHP file. I Basically took it from the internet I just kind of googled it and added whatever I needed to do it because like I said, I'm not a programmer I know some PHP but not that much. I Know what that says just opens cookie log and writes the cookie This is the URL that would need to be sent to the authenticated MySpace user and that may look simple to you But if you notice after the dot-com there's a dot and that's basically the entire exploit and why it works without the dot It doesn't work. That's part of the domain generalization. I believe the reason it's like that is Because they had ads that use that in order to pass JavaScript to their server and obviously they're not going to tell their ad people that pay them that they're not going to be able to do that and someone found that and the sound rather than another site and not just MySpace and you can use that to Exploit this that's basically the only reason it works without the dot none of this works So make sure if you're going to try this you have the dot But but don't try it because it's bad. You shouldn't be doing that. Anyway Don't ever try this ever. Just just know it. That's all and it's cat or they see you need to post more cats It's actually Sunday, but every day is cat or day Like I said the dot at the end of comm is the reason why this works and cat or a lol is the HTML page Which just contains the iframe? All you have to do to exploit the vulnerability once you've stolen the cookie is log in review the log Copy the my user info into your user info. Obviously I stated this but refresh the browser I just wanted to reiterate that it is no no harder than what I talked about earlier. It's the same sort of thing No big deal And you now are the user that clicked your finely crafted hidden link that you know looks like crap anyway The limitations to this you like I said the user must be law it must be Actually, the user must be logged in but other than that the user must use Mozilla Firefox and I will talk in a second The person will know what the link is there recently clicks and that's a that's a limitation if you don't have it Look hidden and they know like say you posted in a bulletin and you know my name's Rick And they saw Rick's bulletin and they clicked it and then they noticed that their page now has goat see on it There might suspect something because they click your link last so they may know and then they'll come after you and beat you with Baseball that's because my space is really important. That's where everyone's friends are at. You know internet friends Obviously you can hurt your friends feelings also by putting goat see on their page they may not they may be offended by goat see I know I'm not I like it. It's my background Depending on what you do also with their page you can change it to be funny You can change it to do whatever but obviously don't because that's bad. I'll be doing none of that stuff But and I found out just a couple days ago And I didn't even notice until I tried to test this again after I updated my Firefox that Firefox 2005 finally implemented HTTP only cookies which Doesn't let you get the user session anymore Which is bad for me because I tried to do this presentation. I'm like, oh wait It doesn't work anymore and then I realized that's a problem So what you need to do is I mean not everyone updates their Firefox and this this as far as I know it never worked on IE Not for a while anyway, because I'm pretty sure they've used HTTP only in a while like I said, I haven't used IE in forever So if I'm wrong Don't throw things at me If you use the older version it works perfectly fine But also I've never messed with this yet because I didn't have time. I like I said it's 8 to that's like the day Before I left to come to Las Vegas and it was like midnight when I was looking at this So I didn't feel like doing it again But you can I was reading you can use XML HTTP requests to obtain the cookie It just is a lot more difficult than just using document that cookie But I think if you know the language then it shouldn't be it should be no problem It's just as easy you just need to use that instead because that doesn't block Doesn't block HTTP only cookies what my user info is part of the cookie But it's actually the only part that's blocked because it's HTTP only it keeps cross-site scripting from happening And that's why it's been implemented. It's people have apparently wanted it in Firefox for a while and Now I'm going to do the demonstration here and hope everything goes well We'll start by this is my myspace see it and We're going to call Dan up here in a minute, but we're going to go to Dan's page Oh, no, we're not just kidding. Oh Getting an IP address hold on So for this example, we're going to send Dan a message containing my Exploit for this there's my server hosting that and Dan will click it because he always wants a cheeseburger and it says I can his cheeseburger So I mean come on. I'm his friend. Just so he knows just in case he doesn't realize it So I just sent him the link here and now I'm going to log out. So you guys stop looking at my messages and Then Dan is going to come up here. Come on up, Dan Doesn't it suck Bob Barker's off prices right now. I love Bob Barker. No, oh there you guys like that there you go Better no, well then get new glasses Later That's all right Now Dan is going to read the message I sent him and Changes password. I told you he wanted a cheeseburger. Oh And now it's not forwarding of course of course. Why would it work when I'm not at two? Let's try again. I Had some catastrophic failure He was actually supposed to be in the audience using my second laptop But the master boot record got messed up 20 minutes before my speech So this actually isn't going to work exactly the way it should what he should be doing is clicking this link I should be using it up here and then I should review the cookie log and he should He should have his cookie in my cookie log and I was going to refresh my browser and become him But since we're logged in as him I'm going to basically show you exactly what you need to do But it actually isn't going to work the perfect way. Sorry guys. I Apologize my laptop is older than me and of course. It's not forwarding Okay, well, we're going to go to the cookie like thanks Dan. Thanks for giving everyone your password We tested this a couple days ago and for whatever reason the my script file isn't deciding not to work right now for whatever reason But this is an older log. It's like I said, right I can't I can't show you guys exactly how it where worked anyway because he doesn't have the laptop out there So we'll just use this but here's the my user info So what you do is you scroll for a year Nothing can ever go right where when you wanted to, you know, I tested this like the Yeah, I know you guys are all perfect and I just suck it sucks So that is the cookie that the portion of the cookie we need. I'm sure you guys loved how it took an hour So now from this point I'm going to go into my cookie editor Don't look at all the porn, please My user info I'm using ad in that actually I'm using a NEC cookie editor for this one I usually use ad and edit I'm using this right now because it was quicker to find So there's the there's the cookie the my user info cookie right there. I'm editing it. I'm taking what I just copied And I'm just going to paste it saving it Closing it being back to my space Going home off my page and then obviously the cookie was for old so it's not going to actually work right now But usually all you have to do is click home and you would be Dan Hammond and that was just basically it I'm sorry that it couldn't work perfectly the way I wanted it to but it will work if you guys try it at home And less of course my space that's the vulnerability overnight, which would make me very upset but basically that is it and It will it will work once you Don't if you're not on a stage, it'll work perfectly fine. Trust me I'm not embarrassed by it So that was the Demonstration I'm glad you guys watched it obviously like I said it would have worked perfectly fine tools I used Firefox notepad and a brain or lack there of depending on who you're hacking and what network you're on and whether you like to be sued Add an edit cookies like I said That's basically tools use these are some penetration testing tools that you can also be used It's probably really small up there But I copied it from a previous presentation. I did basically just some good stuff for use for hiding cross-site scripting tamper data add an edit cookies firebug firekeeper hack bar switch proxy and tour for Anonymous purposes, obviously, I think there was a couple speeches. I didn't get to catch about Tor. I'm sorry about that But I would have loved to pair also, which is a web vulnerability scanning proxy and that's good for finding cross-site scripting Akinetics another one in Nicktown, Wictow for Linux and Windows web pen testing and I think I do have time here. I have another 15 minutes. I believe up here So if anyone has any questions or we can ask him here or you can ask them in the Q&A room where I'll be next and I wanted to thank everybody for coming. Thank you for filling the room I didn't expect it at all. Hopefully everybody enjoyed watching it not work but it will work I promise you that and Thank you