Comments on: The Attack of the TINY URLs http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/ Information Security Think Tank Sun, 23 Nov 2008 12:59:02 +0000 http://wordpress.org/?v=2.6.3 By: pdp http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-1754 pdp Tue, 02 Jan 2007 19:37:03 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-1754 interesting piece of code interesting piece of code

]]> By: luma http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-1731 luma Mon, 01 Jan 2007 20:55:25 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-1731 Yes interesting, I decided to write my own version: This only works in localhost <pre><code>lol = document.createElement('iframe'); lol.src = 'http://tinyurl.com/ym7yba'; document.body.appendChild(lol); function printCODE() { code = lol.contentDocument.location + ''; if(code) { body = document.getElementById('code'); code = unescape(code); body.innerHTML = code.substr(28, code.length-18); } else { alert('error'); } } setInterval("printCODE()", 3000);</code></pre> Yes interesting, I decided to write my own version:

This only works in localhost

lol = document.createElement('iframe');
lol.src = 'http://tinyurl.com/ym7yba';
document.body.appendChild(lol);

function printCODE()
{
code = lol.contentDocument.location + '';

if(code)
 {
 body = document.getElementById('code');
 code = unescape(code);
 body.innerHTML = code.substr(28, code.length-18);
 }
 else
 {
 alert('error');
 }
}

setInterval("printCODE()", 3000);
]]> By: Operation n » TinyURL Exploitation http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-1391 Operation n » TinyURL Exploitation Fri, 22 Dec 2006 02:19:02 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-1391 [...] It isn’t new that TinyURL type sites can be used in phishing attacks; although I haven’t seen any of these myself. More interestingly was the article pdp released a short time ago: TinyURL as a storage house for mobile code. I thought this was an absolutely awesome idea. [...] [...] It isn’t new that TinyURL type sites can be used in phishing attacks; although I haven’t seen any of these myself. More interestingly was the article pdp released a short time ago: TinyURL as a storage house for mobile code. I thought this was an absolutely awesome idea. [...]

]]> By: Planeta cPanel » Top 10 Web Hacks of 2006 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-1254 Planeta cPanel » Top 10 Web Hacks of 2006 Sat, 16 Dec 2006 02:19:38 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-1254 [...] Full ListThe Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you’ve beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassingMozilla Port BlockingHow to defeat digg.comA story that diggsitselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionCSS History Stealing Acts As CookieDetecting FireFox ExtentionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site Vulnerabilities How to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing holeNikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you’ve got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 “mhtml:” Redirection Information DisclosureBypassing of web filters by using ASCII Selecting Encoding Methods For XSS Filter EvasionAdultspace XSS WormAnonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike Again [...] [...] Full ListThe Attack of the TINY URLsBackdooring MP3 FilesBackdooring QuickTime MoviesCSS history hacking with evil marketingI know where you’ve beenStealing Search Engine Queries with JavaScriptHacking RSS FeedsMX Injection : Capturing and Exploiting Hidden Mail ServersBlind web server fingerprintingJavaScript Port ScanningCSRF with MS WordBackdooring PDF FilesExponential XSS AttacksMalformed URL in Image Tag Fingerprints Internet ExplorerJavaScript Portscanning and bypassing HTTP AuthBruteforcing HTTP Auth in Firefox with JavaScriptBypassingMozilla Port BlockingHow to defeat digg.comA story that diggsitselfExpect Header Injection Via FlashForging HTTP request headers with FlashCross Domain Leakage With Image SizeEnumerating Through User AccountsWidespread XSS for Google Search ApplianceDetecting States of Authentication With Protected ImagesXSS Fragmentation AttacksPoking new holes with Flash Crossdomain Policy FilesGoogle Indexes XSSXML Intranet Port ScanningIMAP Vulnerable to XSSDetecting Privoxy Users and Circumventing ItUsing CSS to De-AnonymizeResponse Splitting Filter EvasionCSS History Stealing Acts As CookieDetecting FireFox ExtentionsStealing User Information Via Automatic Form FillingCircumventing DNS Pinning for XSSNetflix.com XSRF vulnBrowser Port Scanning without JavaScriptWidespread XSS for Google Search ApplianceBypassing Filters With EncodingVariable Width EncodingNetwork Scanning with HTTP without JavaScriptAT&T Hack Highlights Web Site Vulnerabilities How to get linked from SlashdotF5 and Acunetix XSS disclosureAnti-DNS Pinning and Circumventing Anti-Anti DNS pinningGoogle plugs phishing holeNikon magazine hit with security breachGovernator HackMetaverse breached: Second Life customer database hackedHostGator: cPanel Security Hole Exploited in Mass HackI know what you’ve got (Firefox Extensions)ABC News (AU) XSS linking the reporter to Al QaedaAccount Hijackings Force LiveJournal ChangesXanga Hit By Script WormAdvanced Web Attack Techniques using GMailPayPal Security Flaw allows Identity TheftInternet Explorer 7 “mhtml:” Redirection Information DisclosureBypassing of web filters by using ASCII Selecting Encoding Methods For XSS Filter EvasionAdultspace XSS WormAnonymizing RFI Attacks Through GoogleGoogle Hacks On Your BehalfGoogle Dorks Strike Again [...]

]]> By: pdp http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-669 pdp Thu, 16 Nov 2006 06:24:36 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-669 maluc, I tried to be ironic. tinyurl does have persistent XSS but I am not disclousing that, and it doesn't matter anyway. <blockquote>And you say it’s to use for remote storage, but what sort of example storage would a javascript worm need? i mean, i can’t think of a way to load any dynamic flash or file like this with IE. Like can you think of a sample attack using it? i’m just drawing a blank..</blockquote> This is easy. Get the base64 value and append the following in front of it: data:application/x-shockwave-flash;base64,. Put that into an iframe src attribute and you have the flash running. This doesn't work on IE though. More on that <a href="http://www.gnucitizen.org/blog/self-contained-xss-attacks" rel="nofollow">here</a> and <a href="http://www.gnucitizen.org/blog/a-bag-full-of-tricks" rel="nofollow">here</a>. <blockquote>... but there’s a lot of ways to use remote storage ... you can put it on any site that allows user content</blockquote> Yes I agree on that, but I want something that is more agile, as I said in this post. I want to create a virtual file system that the agent can operate without requiring assistance. This is where tinyurl shines: everyone is free to shrink, no registration is required. maluc,

I tried to be ironic. tinyurl does have persistent XSS but I am not disclousing that, and it doesn’t matter anyway.

And you say it’s to use for remote storage, but what sort of example storage would a javascript worm need? i mean, i can’t think of a way to load any dynamic flash or file like this with IE. Like can you think of a sample attack using it? i’m just drawing a blank..

This is easy. Get the base64 value and append the following in front of it: data:application/x-shockwave-flash;base64,. Put that into an iframe src attribute and you have the flash running. This doesn’t work on IE though. More on that here and here.

… but there’s a lot of ways to use remote storage … you can put it on any site that allows user content

Yes I agree on that, but I want something that is more agile, as I said in this post. I want to create a virtual file system that the agent can operate without requiring assistance. This is where tinyurl shines: everyone is free to shrink, no registration is required.

]]> By: maluc http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/#comment-664 maluc Thu, 16 Nov 2006 05:21:34 +0000 http://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls#comment-664 Actually, tinyurl does have a persistent XSS. So i think the more accurate sentence would be "This does NOT use an XSS on tinyurl." And you say it's to use for remote storage, but what sort of example storage would a javascript worm need? i mean, i can't think of a way to load any dynamic flash or file like this with IE. Like can you think of a sample attack using it? i'm just drawing a blank.. It's a good idea if it does have some use.. but there's alot of ways to use remote storage. For example, putting it on a myspace page.. then using your double proxy iframes method to extract it. You can put it on anyy site that allows user content - forums, comments, wordpress, etc. Assuming it can handle the bandwidth of a worm. -maluc Actually, tinyurl does have a persistent XSS. So i think the more accurate sentence would be “This does NOT use an XSS on tinyurl.”

And you say it’s to use for remote storage, but what sort of example storage would a javascript worm need? i mean, i can’t think of a way to load any dynamic flash or file like this with IE. Like can you think of a sample attack using it? i’m just drawing a blank..

It’s a good idea if it does have some use.. but there’s alot of ways to use remote storage. For example, putting it on a myspace page.. then using your double proxy iframes method to extract it. You can put it on anyy site that allows user content - forums, comments, wordpress, etc. Assuming it can handle the bandwidth of a worm.

-maluc

]]>