xboxscene.org forums

Author Topic: Curling Into Xbox.com  (Read 86 times)

Tatsh

  • Archived User
  • Jr. Member
  • *
  • Posts: 67
Curling Into Xbox.com
« on: November 10, 2010, 02:33:00 AM »
http://pastebin.com/U498tcbp

CODE


  test
  
  
    
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
    
  



My goal was to get in to Live in general but mainly so I can access Bing webmaster tools on Linux which require Silverlight and Moonlight does not work at all. With Linux all you get is links to CSV files, and you have to be logged in to get them. This script of mine is getting there and now I suppose I'll have my own front-end to Bing Webmaster Tools, instead of needing Silverlight.

Yes, the password is transferred via plaintext. Safe? I'm not sure there's really an alternative. SSL seems to make this okay.

Really the only unique value to everything is the flow tracking key, which is server-generated each time the page loads. Your script would have to regex that out of the HTML (cURL could grab this too). For cURL you need to make your client seem like a sane one, and say that your client accepts JavaScript, otherwise you will be redirected to that warning page each time.

Microsoft's obfuscation/security by obscurity:
  • The page REQUIRES JavaScript AND cookies. Turn them off and you'll be redirected to those warning pages via META refresh.
  • The page is 1 line, with only some Javascript strings, including the key.
  • All content on the page (except for some of the JavaScript) is generated dynamically via JavaScript.
  • The JavaScript within the page is all 1 line.
  • The JavaScript included via
  • The form action is NEVER exposed even once the HTML is generated by the JS, and you are never brought to that page unless you make an error (such as invalid email address).

You can also see the POST data passing by installing the Live HTTP Headers add-on in Firefox and logging in. You will see your password in plain text in that POST data. But you are also very likely to see your password in plain text on plenty of other sites (regardless of authentication method, your plaintext password is necessary to start that authentication method). A client side hash would just create a new password for  MITM attack. There are techniques in MS's JS (uses Crypto.SHA1()) to do that but it seems right now they are not being used.
Logged