Cross-Site Scripting Worm Hits MySpace?

["Fergie (Paul Ferguson)" <fergdawg () netzero com>]

Hmmm. How do you like that? :-)

Via BetaNews.

[snip]

With the advent of social networking sites, becoming more popular is as easy as crafting a few lines of JavaScript 
code, it seems.

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, 
and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had 
amassed over 1 million friends on the popular online community.

How did Samy transcend his humble beginnings of only 73 friends to become a veritable global celebrity? The answer is a 
combination of XSS tricks and lax security in certain Web browsers.

First, by examining the restrictions put into place by MySpace, Samy discovered how to insert raw HTML into his user 
profile page. But MySpace stripped out the word "javascript" from any text, which would be needed to execute code.

With the help of Internet Explorer, Samy was able to break the word JavaScript into two lines and place script code 
within a Cascading Style Sheet tag.

[snip]

http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.