WebApp Sec mailing list archives
Re: myspace hack (History of XSS)
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Fri, 14 Oct 2005 09:39:26 -0700
On Oct 14, 2005, at 9:29 AM, Jeff Robertson wrote:
Yeah. I remember reading about the same-origin issues. They were fixed veryearly, I thought.
The browser makers tried, but there have been consistent supply of vulnerabilities to circumvent the protection.
The first time I remember seeing what we *NOW* call XSS, was in forums and guestbooks and such. The irrestible tempation for anyone who knew javascriptwas to go to these sites and post a message consisting of: <script>alert("I rock!");</script> Of course more mean-spirited folks might try something like: <script>window.close();</script>
Yes indeed. Many call this HTML Injection (variant of XSS), which I guess would characterize the MySpace incident.
This was before the browser would prompt the user about allowing close()method to execute. That post would immediately close the browsers of everyone who tried to access the page, effectively causing denial of service.
Very soon afterwards, the developers of these web applications starting trying all kinds of tricks to allow "safe" HTML (like <b> and <i>) to beused while banning the evil <script>.
Yep, including the webmail providers.
As the myspace business shows, this war is still being escalated like somekind of Itchy and Scratchy cartoon.
Regards, Jeremiah-
Current thread:
- RE: myspace hack (History of XSS) Jeff Robertson (Oct 14)
- Re: myspace hack (History of XSS) Jeremiah Grossman (Oct 14)