Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: myspace hack (History of XSS)

from [Jeremiah Grossman] Network Security [Permanent Link]
Subject: Re: myspace hack (History of XSS)
Date: Fri, 14 Oct 2005 09:39:26 -0700 

On Oct 14, 2005, at 9:29 AM, Jeff Robertson wrote:

Yeah. I remember reading about the same-origin issues. They were fixed very
early, I thought.

The browser makers tried, but there have been consistent supply of vulnerabilities to circumvent the protection.


The first time I remember seeing what we *NOW* call XSS, was in forums and
guestbooks and such. The irrestible tempation for anyone who knew javascript
was to go to these sites and post a message consisting of:

  <script>alert("I rock!");</script>

Of course more mean-spirited folks might try something like:

<script>window.close();</script>


Yes indeed. Many call this HTML Injection (variant of XSS), which I guess would characterize the MySpace incident.


This was before the browser would prompt the user about allowing close()
method to execute. That post would immediately close the browsers of
everyone who tried to access the page, effectively causing denial of
service.

Very soon afterwards, the developers of these web applications starting
trying all kinds of tricks to allow "safe" HTML (like <b> and <i>) to be
used while banning the evil <script>. 

Yep, including the webmail providers.

As the myspace business shows, this war is still being escalated like some
kind of Itchy and Scratchy cartoon. 


Regards,

Jeremiah-

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: (clarification) GET and POST Methods Accepted (testing guide version), Evans, Arian
Next by Date:  RE: myspace hack (History of XSS), Jeff Robertson
Previous by Thread:  RE: myspace hack (History of XSS), Jeff Robertson
Next by Thread:  Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=..., Jeremiah Grossman
Indexes:  [Date] [Thread] [Top] [All Lists]