Jump to content


Curling Into Xbox.com

  • Please log in to reply
No replies to this topic

#1 Tatsh


    X-S Member

  • Members
  • Pip
  • 73 posts
  • Xbox Version:none
  • 360 version:v3.0 (falcon)

Posted 10 November 2010 - 10:33 AM



<html dir="ltr">
  Example POST:
  POST /ppsecure/post.srf?
  wreply=urlencoded_place_to_land_at, could be mail, xbox, etc
  bk=1289376862 login=urlencoded_email
  PPFT=server-generated key you must get from the page, most important part

    <form name="f1" method="POST" action="https://login.live.com/ppsecure/post.srf">
      <input name="login" type="text" id="i0116" maxlength="113" class="cssTextInput" />
      <input name="passwd" type="password" id="i0118" class="cssTextInput" />
      <input name="SI" type="submit" value="Sign in" />
      <input type="hidden" name="wa" value="wsignin1.0" />
      <input type="hidden" name="rpsnv" value="11" />
      <input type="hidden" name="ct" value="" />
      <input type="hidden" name="rver" value="6.1.6206.0" />
      <input type="hidden" name="wp" value="MBI" />
      <input type="hidden" name="type" value="11" />
      <input type="hidden" name="LoginOptions" value="2" />
      <input type="hidden" name="NewUser" value="1" />
      <input type="hidden" name="MEST" value="" />
      <input type="hidden" name="PPSX" value="Passp" />
      <!-- PPFT must be different each time, take it from https://login.live.com/ppsecure/post.srf, find it in the source -->
      <input type="hidden" name="PPFT" value="" />
      <input type="hidden" name="idsbho" value="1" />
      <input type="hidden" name="PwdPad" value="" />
      <input type="hidden" name="sso" value="" />
      <input type="hidden" name="i1" value="" />
      <input type="hidden" name="i2" value="1" />
      <input type="hidden" name="i3" value="" />
      <input type="hidden" name="i4" value="" />
      <input type="hidden" name="i12" value="1" />

My goal was to get in to Live in general but mainly so I can access Bing webmaster tools on Linux which require Silverlight and Moonlight does not work at all. With Linux all you get is links to CSV files, and you have to be logged in to get them. This script of mine is getting there and now I suppose I'll have my own front-end to Bing Webmaster Tools, instead of needing Silverlight.

Yes, the password is transferred via plaintext. Safe? I'm not sure there's really an alternative. SSL seems to make this okay.

Really the only unique value to everything is the flow tracking key, which is server-generated each time the page loads. Your script would have to regex that out of the HTML (cURL could grab this too). For cURL you need to make your client seem like a sane one, and say that your client accepts JavaScript, otherwise you will be redirected to that warning page each time.

Microsoft's obfuscation/security by obscurity:
  • The page REQUIRES JavaScript AND cookies. Turn them off and you'll be redirected to those warning pages via META refresh.
  • The page is 1 line, with only some Javascript strings, including the key.
  • All content on the page (except for some of the JavaScript) is generated dynamically via JavaScript.
  • The JavaScript within the page is all 1 line.
  • The JavaScript included via <script> is all one-line, obfuscated. CE() being a function to be a shortcut to document.createElement() and _s7() being the function that via Regex grabs the server-generated tracking 'flow key' from the main page.
  • The form action is NEVER exposed even once the HTML is generated by the JS, and you are never brought to that page unless you make an error (such as invalid email address).

You can also see the POST data passing by installing the Live HTTP Headers add-on in Firefox and logging in. You will see your password in plain text in that POST data. But you are also very likely to see your password in plain text on plenty of other sites (regardless of authentication method, your plaintext password is necessary to start that authentication method). A client side hash would just create a new password for MITM attack. There are techniques in MS's JS (uses Crypto.SHA1()) to do that but it seems right now they are not being used.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users