lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Dec 2017 15:24:10 +0100
From: Zmx <>
Subject: [FD] Google supported XSS kit aka AdExchange iframe buster kit

Hi list,

The DFP AdExchange service of Google (the service who provide ads) is
distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
outside of the iFrame.

This needs some bypass of the restriction applied to iframe, so Google
provide a kit to install on your website:
- Help Document:
- Kit:

The kit contains several html and js files to be hosted on your domains.

Some of those files (still provide by Google, remember) contains very
visible XSS code:
One of them is "predicta" that simply allow you to pass the domain of from
where to load the javascript.

Quick proof of concept:

As expandable ads allow website to gain more ads revenue, those kits is
present in a lot of website.

Other "iframe buster kit" exist that are not provided by Google, and some
of them are also vulnerable.

>From my list I have:
- /admotion/afa-iframe.htm?iq=
- /ipinyou/py_buster.html?pybust=
- /rockabox/rockabox_buster.html?rbbust= (look
like different version exist however)
- /undertone/iframe-buster.html?ajurl=

Some source:
- Code of predicta_bf.html provide by Google in the kit:
- Code of :
- Code of rockabox:


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists