WebApp Sec mailing list archives
Re: myspace hack
From: Tim Brown <tmb () 65535 com>
Date: Fri, 14 Oct 2005 16:04:39 +0100
On Friday 14 Oct 2005 15:29, Reynolds, Jake wrote:
I wouldn't consider this an XSS attack. Where in the attack did information cross sites? This seems like it is an embedded XSS attack in that a malicious script was entered into a profile in hopes that victims would view and execute it. However, nothing was sent across sites via the script. The vulnerability was a lack of output validation in my opinion, which is the same vulnerability that an XSS attack would exploit. I don't know how you would classify the attack... Probably "self-replicating session riding". Yeah that has a nice FUD-factor to it.
I coined the term Same Site Scripting to describe the act of abusing XMLHttpRequest whilst playing around with this attack vector for a paper I'm writing. Anyone have a better suggestion? Cheers, Tim -- Tim Brown <mailto:tmb () 65535 com>
Current thread:
- Re: myspace hack, (continued)
- Re: myspace hack Stephen de Vries (Oct 13)
- Re: myspace hack Chris Varenhorst (Oct 13)
- Re: myspace hack Chris Varenhorst (Oct 13)
- RE: myspace hack Griffiths, Ian (Oct 13)
- Re: myspace hack rSYN (Oct 13)
- RE: myspace hack Reynolds, Jake (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- RE: myspace hack Radoslav Vasilev (Oct 14)
- RE: myspace hack Andrew Chong (Oct 14)
- Re: myspace hack Stephen de Vries (Oct 14)
- Re: myspace hack Tim Brown (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack Tom Gallagher (Oct 14)
- Re: myspace hack Disco Jonny (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- RE: myspace hack Richard M. Smith (Oct 14)
- RE: myspace hack Reynolds, Jake (Oct 14)
- RE: myspace hack Jeff Robertson (Oct 14)
- Re: myspace hack bugtraq (Oct 14)
- Re: myspace hack (readable javascript code ) A. Fontes (Oct 14)
- Re: myspace hack (History of XSS) Jeremiah Grossman (Oct 14)