From the same guy who brought the AutoStumbler I bring you the AutoDigger!
I reported the issue, and it has been corrected, meaning I get to publish!
The exploit works on the same principle as before, a common XSS keyhole located in the search engine allows for automatic submission of the "Digg It" action.
Granted, the code I made for this exploit was much nicer than before. Based on AJAX as opposed to iframes, and used referrer spoofing in the AJAX headers.
The exploit works like this:
In the search engine on digg.com, a developer forgot to escape the query inside of a script block, so, an injection of
can get easy remote JavaScript inclusion.
WooHoo, now for the fun part, the JavaScript.
First, I need to get the token, luckally, its on the home page when a user is logged in. Just have to extract it. Just make an AJAX request to the home page using their own api, and run something like this:
Now, we just need two pieces of information, the itemID and the location. This is easy enough to get, use FireBug to watch a Digg request. Copy the itemID and the location.
Now, all we have to do is craft the request and send it.
We can use digg.com's built in digg() function. Pretty much used like this:
Now, you might ask, "Why did you get the token if it was not needed for AutoDigging?"
Good question, but I have my sights on something more valuable than getting something on the home page.
I want CSRF or an AJAX worm. The token is the key to that. With AJAX and the token, you can do almost any user action with a little know-how. Edit the profile, set favorites, anything. Quite beautiful, I think.
I reported the issue, and it has been corrected, meaning I get to publish!
The exploit works on the same principle as before, a common XSS keyhole located in the search engine allows for automatic submission of the "Digg It" action.
Granted, the code I made for this exploit was much nicer than before. Based on AJAX as opposed to iframes, and used referrer spoofing in the AJAX headers.
The exploit works like this:
In the search engine on digg.com, a developer forgot to escape the query inside of a script block, so, an injection of
can get easy remote JavaScript inclusion.
WooHoo, now for the fun part, the JavaScript.
First, I need to get the token, luckally, its on the home page when a user is logged in. Just have to extract it. Just make an AJAX request to the home page using their own api, and run something like this:
var token = ajax.match(/[a-f0-9]{32}/)[0];There! We have our security token!
Now, we just need two pieces of information, the itemID and the location. This is easy enough to get, use FireBug to watch a Digg request. Copy the itemID and the location.
Now, all we have to do is craft the request and send it.
We can use digg.com's built in digg() function. Pretty much used like this:
digg(itemID,location);Done.
Now, you might ask, "Why did you get the token if it was not needed for AutoDigging?"
Good question, but I have my sights on something more valuable than getting something on the home page.
I want CSRF or an AJAX worm. The token is the key to that. With AJAX and the token, you can do almost any user action with a little know-how. Edit the profile, set favorites, anything. Quite beautiful, I think.