Re: myspace hack (History of XSS)

[Jeremiah Grossman <jeremiah () whitehatsec com>]

On Oct 14, 2005, at 9:29 AM, Jeff Robertson wrote:

> Yeah. I remember reading about the same-origin issues. They were  
> fixed very
> early, I thought.

The browser makers tried, but there have been consistent supply of  
vulnerabilities to circumvent the protection.


> The first time I remember seeing what we *NOW* call XSS, was in  
> forums and
> guestbooks and such. The irrestible tempation for anyone who knew  
> javascript
> was to go to these sites and post a message consisting of:
>
>   <script>alert("I rock!");</script>
>
> Of course more mean-spirited folks might try something like:
>
>   <script>window.close();</script>


Yes indeed. Many call this HTML Injection (variant of XSS), which I  
guess would characterize the MySpace incident.


> This was before the browser would prompt the user about allowing  
> close()
> method to execute. That post would immediately close the browsers of
> everyone who tried to access the page, effectively causing denial of
> service.

> Very soon afterwards, the developers of these web applications  
> starting
> trying all kinds of tricks to allow "safe" HTML (like <b> and <i>)  
> to be
> used while banning the evil <script>.

Yep, including the webmail providers.

> As the myspace business shows, this war is still being escalated  
> like some
> kind of Itchy and Scratchy cartoon.


Regards,

Jeremiah-