Myspace thread
#11
11-09-2005, 04:36 PM
RE: Myspace thread
ORIGINAL: CrazyBignate
Myspace is a bees nest for teens wanting to express their ideal emotional and sexual experiences through the wonderful invention of bulletin posting
Myspace is a bees nest for teens wanting to express their ideal emotional and sexual experiences through the wonderful invention of bulletin posting
...So where do I sign up?[sm=badbadbad.gif]
#13
11-09-2005, 06:31 PM
RE: Myspace thread
MySpace is just like this message board
With pruning of friends who over use bulletin to post stupid survays and Where were you 6 years agos... and ****, just cut them loose and delete them.
After cutting thru all the bullshit of emo **** who like to turn up contrass on there webcams, and wear square glasses to try to draw some attention ***** appeal, you can still use it.
Key is keep it plain and simple.
I remember a year or so ago, my friends and I wrote some java code tricks to get past the safety in it.
We are the reason you guys can't use <script or php or most keywords anymore
And your welcome, we also were the reason the samyworm got out because of stupid myspace, that is right all you ******* dumb asses who are emo ***** that click on anything because it is poetry that helps you express your oppressed struggleing artiest inside, your a ******* moron
None of this works on my space anymore, thus why I am letting you guys see it...
Now, let's talk more about the problems encountered, workarounds, and how it worked in general.
1) Myspace blocks a lot of tags. In fact, they only seem to allow <a>, <img>s, and <div>s...maybe a few others (<embed>'s, I think). They wouldn't allow <script>s, <body>s, onClicks, onAnythings, href's with javascript, etc...However, some browsers (IE, some versions of Safari, others) allow javascript within CSS tags. We needed javascript to get any of this to even work.
Example: <div style="background:url('javascript:alert(1)')">
2) We couldn't use quotes within the div because we had already used up single quotes and double quotes already. This made coding JS very difficult. In order to get around it, we used an expression to store the JS and then executed it by name.
Example: <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.al l.mycode.expr)')">
3) Sweet! Now we can do javascript with single quotes. However, myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's java<NEWLINE>script).
Example: <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">
4) Okay, while we do have single quotes working, we sometimes NEED double quotes. We'll just escape quotes, e.g., "foo\"bar". Myspace got me...they STRIP OUT all escaped quotes, whether single or double. However, we can just convert decimal to ASCII in javascript to actually produce the quotes.
Example: <div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java
script:eval(document.all.mycode.expr)')">
5) In order to post the code to the user's profile who is viewing it, we need to actually get the source of the page. Ah, we can use document.body.innerHTML in order to get the page source which includes, in only one spot, the ID of the user viewing the page. Myspace gets me again and strips out the word "innerHTML" anywhere. To avoid this, we use an eval() to evaluate two strings and put them together to form "innerHTML".
Example: alert(eval('document.body.inne' + 'rHTML'));
6) Time to actually access other pages. We would use iframes, but usually (even when hidden), iframes aren't as useful and are more obvious to the user that "something else" is going on. So, we use XML-HTTP in order for the actual client to make HTTP GETs and POSTs to pages. However, myspace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests. Again, we can use an eval to evade this. Another plus to XML-HTTP is that the necessary cookies required to perform actions on myspace are passed along without any hassle.
Example: eval('xmlhttp.onread' + 'ystatechange = callback');
7) Time to perform a GET on the user's profile so that we can get their current list of heroes. We don't want to remove any heroes, we just want to append myself to their pre-existing list of heroes. If we GET their profile, we can grab their heroes and store it for later. With all the above figured out, this is simple with an XML-HTTP request except that we have to get the friend ID of the actual user viewing a profile. Like we said above, we can do this by grabbing the source of the page we're on. However, now we need to perform a search in the page for a specific word to find it. So we perform this search, however if we do this, we may end up finding our actual code since it contains the same exact word we're looking for...because saying "if this page contains 'foo', do this", that will always return true because it can always find foo within the actual code that does the searching. Another eval() with a combination of strings avoids this problem.
Example: var index = html.indexOf('frien' + 'dID');
8) At this point, we have the list of heroes. First, let's add me as a friend by performing an XML-HTTP POST on the addFriends page. Oh no, this doesn't work! Why not? We're on profile.myspace.com, however the POSTing needs to be done on www.myspace.com. No big deal, however XML-HTTP won't allow GETs/POSTs to sites with a different domain name. To get around this, let's actually go to the same URL but on www.myspace.com. You can still view profiles from www.myspace.com, so reloading the page on the domain we want to be on allows us to do the POST.
Example: if (location.hostname == 'profile.myspace.com') document.location = 'http://www.myspace.com' + location.pathname + location.search;
9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.
10) Once the POST is complete, we also want to add a hero and the actual code. The code will end up going into the same place where the hero goes so we'll only need one POST for this. However, we need to pre-GET a page in order to get a new hash. But first we have to actually reproduce the code that we want to POST. The easiest way to do this is to actually grab the source of the profile we're on, parse out the code, and then POST. This works except now all sorts of things are garbled! Ah, we need to URL-encode/escape the actual code in order to POST it properly. Weird, still doesn't work. Apparently javascript's URL-encoding and escape() function doesn't escape everything necessary so we'll need to manually do some replacing here in order to get the necessary data escaped. We add a little "but most of all, samy is my hero." to the mix, append all the code right after, and voila. We have self-reproducing code, a worm if you will.
11) Other limits, such as a maximum length, imposed other problems and required tight code, no spaces, obfuscated names, reusable functions, etc..
There were a few other complications and things to get around. This was not by any means a straight forward process, and none of this was meant to cause any damage or **** anyone off. This was in the interest of..interest. It was interesting and fun!
With pruning of friends who over use bulletin to post stupid survays and Where were you 6 years agos... and ****, just cut them loose and delete them.
After cutting thru all the bullshit of emo **** who like to turn up contrass on there webcams, and wear square glasses to try to draw some attention ***** appeal, you can still use it.
Key is keep it plain and simple.
I remember a year or so ago, my friends and I wrote some java code tricks to get past the safety in it.
We are the reason you guys can't use <script or php or most keywords anymore
And your welcome, we also were the reason the samyworm got out because of stupid myspace, that is right all you ******* dumb asses who are emo ***** that click on anything because it is poetry that helps you express your oppressed struggleing artiest inside, your a ******* moron
None of this works on my space anymore, thus why I am letting you guys see it...
Now, let's talk more about the problems encountered, workarounds, and how it worked in general.
1) Myspace blocks a lot of tags. In fact, they only seem to allow <a>, <img>s, and <div>s...maybe a few others (<embed>'s, I think). They wouldn't allow <script>s, <body>s, onClicks, onAnythings, href's with javascript, etc...However, some browsers (IE, some versions of Safari, others) allow javascript within CSS tags. We needed javascript to get any of this to even work.
Example: <div style="background:url('javascript:alert(1)')">
2) We couldn't use quotes within the div because we had already used up single quotes and double quotes already. This made coding JS very difficult. In order to get around it, we used an expression to store the JS and then executed it by name.
Example: <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.al l.mycode.expr)')">
3) Sweet! Now we can do javascript with single quotes. However, myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's java<NEWLINE>script).
Example: <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">
4) Okay, while we do have single quotes working, we sometimes NEED double quotes. We'll just escape quotes, e.g., "foo\"bar". Myspace got me...they STRIP OUT all escaped quotes, whether single or double. However, we can just convert decimal to ASCII in javascript to actually produce the quotes.
Example: <div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java
script:eval(document.all.mycode.expr)')">
5) In order to post the code to the user's profile who is viewing it, we need to actually get the source of the page. Ah, we can use document.body.innerHTML in order to get the page source which includes, in only one spot, the ID of the user viewing the page. Myspace gets me again and strips out the word "innerHTML" anywhere. To avoid this, we use an eval() to evaluate two strings and put them together to form "innerHTML".
Example: alert(eval('document.body.inne' + 'rHTML'));
6) Time to actually access other pages. We would use iframes, but usually (even when hidden), iframes aren't as useful and are more obvious to the user that "something else" is going on. So, we use XML-HTTP in order for the actual client to make HTTP GETs and POSTs to pages. However, myspace strips out the word "onreadystatechange" which is necessary for XML-HTTP requests. Again, we can use an eval to evade this. Another plus to XML-HTTP is that the necessary cookies required to perform actions on myspace are passed along without any hassle.
Example: eval('xmlhttp.onread' + 'ystatechange = callback');
7) Time to perform a GET on the user's profile so that we can get their current list of heroes. We don't want to remove any heroes, we just want to append myself to their pre-existing list of heroes. If we GET their profile, we can grab their heroes and store it for later. With all the above figured out, this is simple with an XML-HTTP request except that we have to get the friend ID of the actual user viewing a profile. Like we said above, we can do this by grabbing the source of the page we're on. However, now we need to perform a search in the page for a specific word to find it. So we perform this search, however if we do this, we may end up finding our actual code since it contains the same exact word we're looking for...because saying "if this page contains 'foo', do this", that will always return true because it can always find foo within the actual code that does the searching. Another eval() with a combination of strings avoids this problem.
Example: var index = html.indexOf('frien' + 'dID');
8) At this point, we have the list of heroes. First, let's add me as a friend by performing an XML-HTTP POST on the addFriends page. Oh no, this doesn't work! Why not? We're on profile.myspace.com, however the POSTing needs to be done on www.myspace.com. No big deal, however XML-HTTP won't allow GETs/POSTs to sites with a different domain name. To get around this, let's actually go to the same URL but on www.myspace.com. You can still view profiles from www.myspace.com, so reloading the page on the domain we want to be on allows us to do the POST.
Example: if (location.hostname == 'profile.myspace.com') document.location = 'http://www.myspace.com' + location.pathname + location.search;
9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.
10) Once the POST is complete, we also want to add a hero and the actual code. The code will end up going into the same place where the hero goes so we'll only need one POST for this. However, we need to pre-GET a page in order to get a new hash. But first we have to actually reproduce the code that we want to POST. The easiest way to do this is to actually grab the source of the profile we're on, parse out the code, and then POST. This works except now all sorts of things are garbled! Ah, we need to URL-encode/escape the actual code in order to POST it properly. Weird, still doesn't work. Apparently javascript's URL-encoding and escape() function doesn't escape everything necessary so we'll need to manually do some replacing here in order to get the necessary data escaped. We add a little "but most of all, samy is my hero." to the mix, append all the code right after, and voila. We have self-reproducing code, a worm if you will.
11) Other limits, such as a maximum length, imposed other problems and required tight code, no spaces, obfuscated names, reusable functions, etc..
There were a few other complications and things to get around. This was not by any means a straight forward process, and none of this was meant to cause any damage or **** anyone off. This was in the interest of..interest. It was interesting and fun!
#16
11-09-2005, 11:23 PM
RE: Myspace thread
ORIGINAL: Heinzanova
nooooooo
we made the code *as shown above*, that made that worm possible.
nooooooo
we made the code *as shown above*, that made that worm possible.
What's next? Taking out a bunch of people's email? Think how proud ur mom will be then. I'll think you are the coolest.
How about this - Don't be an asshat and make the internet a more difficult place than it already is?
#17
11-10-2005, 12:25 AM
RE: Myspace thread
exploited the code to prove a volnerablity they never fixed it, and that is what happened.
and I wouldnt know how my mother would feel, she died 25 years ago, and I can't remember her personality so I don't know how she would feel.
But thank you, I feel so cool now.
and I wouldnt know how my mother would feel, she died 25 years ago, and I can't remember her personality so I don't know how she would feel.
But thank you, I feel so cool now.
#18
11-10-2005, 12:37 AM
RE: Myspace thread
ORIGINAL: Heinzanova
exploited the code to prove a volnerablity they never fixed it, and that is what happened.
exploited the code to prove a volnerablity they never fixed it, and that is what happened.
and I wouldnt know how my mother would feel, she died 25 years ago, and I can't remember her personality so I don't know how she would feel.
But thank you, I feel so cool now.
#19
11-10-2005, 01:04 AM
RE: Myspace thread
I hate myspace too but i have one. I didnt use it for liek 6 months but im back on it talking to ppl taht go to the schools im looking at.
www.myspace.com/apg96
www.myspace.com/apg96
#20
11-10-2005, 04:38 AM
RE: Myspace thread
I didnt make any problems for someone
Just because a company makes a gun, they are not at fault if someone uses it to kill someone.
I posted up something to stimulate the mind, and I get flamed.
I stand behind my thread, of a few weeks ago, that everyone except about six of you are ******* idiots.
Just because a company makes a gun, they are not at fault if someone uses it to kill someone.
I posted up something to stimulate the mind, and I get flamed.
I stand behind my thread, of a few weeks ago, that everyone except about six of you are ******* idiots.