Hacking Hotmail through XSS
Microsoft's code is not always secure. This is very clear, once again, with this XSS exploit. This is not the first XSS exploit that has been found, others before it can attest it.
The idea is simple. When you are logged-in into Hotmail, a cookie is created which allows you access every time you are in it's domain. Since the cookie is not IP-bound (how is this possible? - Microsoft) we are able to fake the cookie. Once stolen, we are able to use it to login.
Finding an exploitable webpage is like being 50% based on pure luck. Or you have a really awful amount of time to spend. There is software that is written for auto-searching XSS exploits. Dont use it - it's crap, clear thinking is enough.
When searching, keep these points in mind:
2. You can use practically any browser, though i'd recommend Mozilla Firefox. It is stable, secure, and available on almost any OS. Opera or Internet Explorer are ok to use as well, if you like them better. One good benefit of using Opera is that it lets you manage your own cookies.
3. If you want to be stealthy use TOR or a proxy. You should be aware though that DNS Leaking is still dangerous
In my search it took me 4 to 5 hours to find three exploits. I will discuss one only.
The normal URL:
The test URL:
A ctrl+f in the source for hya gave the invalid input:
<input type="hidden" name="m" value="hya"><ho" />
To alert the cookie, it needs to be like this. Fortunately special characters were not escaped:
<input type="hidden" name="m" value="hya"><script>alert(document.cookie)</script><br class="ho" />
The exploited URL:
This is the edited URL so it sends the cookie to an webserver.
This is the link the victim should click. As soon as he clicks it, his cookie is being sent to your server, resulting to be saved in your logfile. You can display some innocent error or redirect to an other page.
Next, get Proxomitron. Configure your browser to use it. Fire up proxomitron, go to headers, and fill in the cookie data from your logfile into a fake cookie header (there is one by default). Make sure you have checked the 'out' box. Go to http://my.msn.com/. The inbox of your victim is all yours. If this does not work immediately, a cookie is not made yet. Just go to http://my.msn.com/ again.