Re: myspace hack

[bugtraq () cgisecurity net]

You probably want to check out these links as well.

The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

The Web Application Security Consortium's  (WASC) Threat Classification
http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml

- admin () cgisecurity com
http://www.cgisecurity.com


> It was called XSS before 2002. The wikipedia article that someone already
> mentioned links to:
>
>       http://www.cert.org/advisories/CA-2000-02.html
>       http://webmonkey.wired.com/webmonkey/00/18/index3a.html
>       http://httpd.apache.org/info/css-security/
>
> All of which are from 2000.
>
> I remember the vulnerability now known as "stored xss" being an issue as far
> back as 1996-ish on web based forums, but I don't think it had any name at
> that time. 
>
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Richard M. Smith [mailto:rms () computerbytesman com]
> > Sent: Friday, October 14, 2005 11:14
> > To: webappsec () securityfocus com
> > Subject: RE: myspace hack
> >
> >
> > I believe that Microsoft first came up with the cross-site 
> > scripting name.
> > They wrote a paper on the subject around 2002.
> >
> > "Script injection" does sound like a more descriptive and 
> > accurate name. 
> >
> > Richard 
> >
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] 
> > Sent: Friday, October 14, 2005 10:55 AM
> > To: 'Reynolds, Jake'; Chris Varenhorst; Akash
> > Cc: webappsec () securityfocus com
> > Subject: RE: myspace hack
> >
> > The name "XSS" does not make sense in a lot of its applications. 
> >
> > What "Stored XSS" and "Reflected XSS" have in common is the 
> > injection of
> > script into places where script wasn't supposed to be. Having 
> > more than one
> > site be involved is not the factor. What has been discussed 
> > in this thread
> > seems to me like it falls under "Stored XSS".
> >
> > It would make more sense if this was called "script 
> > injection", but for some
> > reason the whole family was named XSS.
> >
> > Who the heck names these things, anyway? 
> >
> >
> > Jeff Robertson
> > Manager of Web Application Security
> > Digital Insight
> >
> >
> > > -----Original Message-----
> > > From: Reynolds, Jake [mailto:Jake.Reynolds () fishnetsecurity com]
> > > Sent: Friday, October 14, 2005 10:30
> > > To: Chris Varenhorst; Akash
> > > Cc: webappsec () securityfocus com
> > > Subject: RE: myspace hack
> > >
> > >
> > > I wouldn't consider this an XSS attack. Where in the attack did 
> > > information cross sites? This seems like it is an embedded 
> > XSS attack 
> > > in that a malicious script was entered into a profile in hopes that 
> > > victims would view and execute it. However, nothing was sent across 
> > > sites via the script. The vulnerability was a lack of output 
> > > validation in my opinion, which is the same vulnerability 
> > that an XSS 
> > > attack would exploit. I don't know how you would classify the 
> > > attack... Probably "self-replicating session riding". Yeah 
> > that has a 
> > > nice FUD-factor to it.
> > >
> > >
> > > Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA 
> > Senior Security 
> > > Engineer -- Consulting Services FishNet Security
> > >
> > > Phone: 816.421.6611
> > > Toll Free: 888.732.9406
> > > Fax: 816.421.6677
> > >
> > > http://www.fishnetsecurity.com
> > >
> > > -----Original Message-----
> > > From: Chris Varenhorst [mailto:varenc () MIT EDU]
> > > Sent: Thursday, October 13, 2005 8:39 AM
> > > To: Akash
> > > Cc: webappsec () securityfocus com
> > > Subject: Re: myspace hack
> > >
> > > Oh wow I'm wrong, I'm apparently thinking of current myspace bots 
> > > which do as I described.  It looks this was in fact made 
> > possible by 
> > > an XSS vulnerability.
> > > Sorry
> > >
> > > On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> > >
> > > > This isn't hacking at all. (at least not what I'd call 
> > it) This is 
> > > > writing a script to go through myspace IDs (which
> > > happen to be
> > > > squential) issuing friend requests to every one of them.  
> > To prevent 
> > > > this, now myspace limits friend requests to a certain
> > > number per day.
> > > > Hope that covers it!
> > > >
> > > > -Chris
> > > >
> > > > On Thu, 13 Oct 2005, Akash wrote:
> > > >
> > > > > Does anyone has more technical details about how 1
> > > million accounts
> > > > got hacked in about 24 hours.
> > > >
> > > > This is the supposed confession of the hacker 
> > > > http://fast.info/myspace/
> > > >
> > > > I currently studying for CEH and just finished reading 
> > about XSS. So 
> > > > this is of special interest.
> > > >
> > > > regards
> > > >
> > > > akash