lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Dec 2017 17:09:26 +0100
From: Zmx <>
Subject: Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit

Some more details:

1) The google article seems to link the problematic kit only in non-english
local (check the french version or spanish one)
2) In order for predicta to work, you should host your javascript on a
specific path: /mrm-ad/commons.js

2017-12-19 15:24 GMT+01:00 Zmx <>:

> Hi list,
> The DFP AdExchange service of Google (the service who provide ads) is
> distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
> outside of the iFrame.
> This needs some bypass of the restriction applied to iframe, so Google
> provide a kit to install on your website:
> - Help Document:
> - Kit:
> DB3CE51C3A5F783ED8198CDA753995FEB913
> The kit contains several html and js files to be hosted on your domains.
> Some of those files (still provide by Google, remember) contains very
> visible XSS code:
> One of them is "predicta" that simply allow you to pass the domain of from
> where to load the javascript.
> Quick proof of concept:
> -
> As expandable ads allow website to gain more ads revenue, those kits is
> present in a lot of website.
> Other "iframe buster kit" exist that are not provided by Google, and some
> of them are also vulnerable.
> From my list I have:
> - /admotion/afa-iframe.htm?iq=
> - /ipinyou/py_buster.html?pybust=
> - /rockabox/rockabox_buster.html?rbbust= (look
> like different version exist however)
> - /undertone/iframe-buster.html?ajurl=
> Some source:
> - Code of predicta_bf.html provide by Google in the kit:
> - Code of :
> - Code of rockabox:
> Tr4L

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists