*History* Almost two years ago I reported to the full disclosure list my finding about the usage of IFrameBusterKit (often provided by Google) in order to help advertising.
Sadly a lot of those file (that you host on your own domain) have really easy XSS include in them. After the report, Google quickly remove most of the kit, and email user to warn them about removing those file: https://support.google.com/admanager/answer/7622991 *The Tools* As of today, a lot of those file are still present on a lot of websites, and are not detected by any tools that I know, that's the reason I created the following scripts: https://github.com/tr4l/iframeBusterXSS The script simply scan for know URL (way more than on the original report from Google), and check some regexp to ensure the content seems to be what we look for. The docs section contains sample file that I gathered on real website, and for some of them a PoC on how to trigger the XSS. *Proof of concept* My last work was on two (not fully explained here) proof of concept for the most used IframeBuster file: - eyeblaster/addineyeV2.html - doubleclick/DARTIframe.html (the one use by Google) *Eyeblaster* eyeblaster is now handled by a group name sizmek.com I already reported the issue present on the GitHub repository, and they have badly patch it. I also have reported the new XSS a month ago, without any feedback (and I didn't get any feedback for the first fix, not even a thank you.) In order to achieve the XSS, you simply need to create an Iframe to the Iframe Buster File (like what a regular ads will do) Then you post a message to this windows of the type "ebVerifyInnerIframe'. postMessage('{"type":"ebVerifyInnerIframe", "data":{"ebProtocol":"data:","ebBs":"text/javascript,alert();var x=/ bs.serving-sys.com/.source;//#https://"}}','*'); More details in https://github.com/tr4l/iframeBusterXSS/blob/master/docs/examples/eyeblaster/poc.txt Website have removed those file thanks to the tools - www.forbes.com - lemonde.fr - tf1.fr - gizmodo.com *Doubleclick* Now, we talk about the most iframe buster kit. First, the loader use a very limited range of possible script to be injected: //s0.2mdn.net/879366/DARTIFrame_' + gtVersion + '.js However, we can found that the number of scripts that exists are long enough to be investigated: - DARTIFrame_200_xxx.js with xxx any value between 10 and at least 246. - DARTIFrame_lidar.js - DARTIFrame_relay_200_XXX.js (same rules) The doubleClick Iframe allow the use of several "protocol" for the transport of "command". - postMessage - RelayIframe - etc ... The protocol can be change when you call the iframe with the xpc param: dart-iframe.html?gtVersion=200_246&mediaserver=https%3A%2F%2Fs0.2mdn.net %2F879366&xpc={THE_XPC_IN_JSON} A typical IFrame tree look like: yourwebsite -> IFrame with the ads (not on local website) -> Iframe with the buster file. After exchanging some message to setup the transport channel, the main website will send message with .JS to be loaded to the iframe buster file. Once the message is read and executed, the iframe will stop listening. I haven't found a way to call the buster frame directly (like the eyeblaster one), as the Google Iframe try to get access to the window of parent.parent which is not possible if we are on different domain. However, this seems to be theoratically possible to do a race with the legit postMessage before the iframe stop to listen. Other protocol than postmessage may also have some other flow. *Contribute* I would be really happy if some of you can contribute, in different aspect of the tools: - informe me if you know any buster file that are not yet listed here. I had to gather several sources to try to get the most exhaustive list - you can try yourself to provide PoC for the one I have done yet - copy the work on other tools that already gather this kind of data (Burp/Zap/grenbone, etc ...) - get a look at the Google one I will be in the amazing hack conference https://lehack.org next week in Paris. Probably with a nice hoodie with "Zmx" on it provide by https://twitter.com/hacklabesgi so feel free to came and talk if you want to have more details. Thanks to Randy Westergren for the nice article on the subject. Tr4l/Zmx - https://twitter.com/Tr4LSecurity _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
