Hi. Seeing as there has been a recent discussion about cross scripting on high profile sites, I thought it timely to release details of cross script opportunities on MSN's chat service. [Introduction] MSN Chat is an IRCX network with a web based client (an ActiveX control). Cross scripting has been discussed at length elsewhere so I won't describe it here. MSN have been notified about this advisory. [Details] Here are two cross scripting situations. Unicode is used to pass certain characters; converting the whole cross script part to unicode further obfuscates the URL making it easier to trick a user into clicking it. http://chat.msn.com/chatroom.msnw?rm=% 3Cscript%3Ealert(document.cookie)%3B%3C% 2Fscript%3E Note: A URL similar to the one above may be obtained by using the form on http://chat.msn.com/create.msnw to create a room. The form provides some basic client-side validation to check for illegal characters (< and >). This advisory goes to show the client-side checking has very little purpose (IMHO). http://chat.msn.com/invite.msnw?hexUserName=% 3Cscript%3Ealert(document.cookie)%3B%3C%5c% 2Fscript% 3E&hexnick=AAAAA&InvitationCode=123456789&mo de=2 Note: As this string appears in quotes I have had to escape the / in script tag. The implication of the two URLs above is that passport cookies in the msn.com domain can be stolen by tricking a user into visiting a malicious webpage. This can be achieved easily since the MSN chat control conveniently creates a clickable link when it detects the string http://. The first URL has a limit on the number of characters that can be present in the cross script, since it represents the name of a chat room the victim supposedly wishes to join. The chat control will throw an error about illegal characters in the chat room name if the page is allowed to load fully (better to put a window.location="about::"; at the end of the cross script if you have room). The second URL has no such limitation. Let us now discuss the implications for MSN Chat. The above URLs enable an attacker to impersonate another user on the chat service and alter his/her nickname and profile. The three cookies that are of interest are: MSPProf (Profile information) MSPAuth (Authentication information) MSNChatNN (Nickname) It is possible for an attacker only to use the victim's MSNChatNN, thus stealing his nickname, but not his identity as such. Some chat room operators use non- MSN clients to allow use of more advanced IRCX commands e.g. ACCESS command to auto-host depending on nickname/identity etc. Obviously this is not a good idea in light of this bug. [About Cross Scripting in general] I would agree with earlier postings about the extent of cross scripting vulnerabilities. I visited a number of UK retailer's websites and I would say that 80 - 90% were vulnerable to cross scripting. I was (am?) planning to release a list or attempt to contact site admins to inform them. This got me thinking about automating detection of cross scripting vulnerabilities - at the basic level, scanning a page for any forms, returning the form with some arbitrary input then scanning the returned page for that same input. Of course this is largely simplified but it is an interesting idea. If anyone is interested in discussing this, please get in contact. [The Obligatory Greetings] .ox ppl I know & the boyz@103 :) Thanks John ------------------------------------------- john.heasman@univ.ox.ac.uk -------------------------------------------