MySpace XSS Istanbul now Cross-Stantinople

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

MySpace: Is it XSS variant: x, or CSRF, or SR, or...

There's no cross-site in this 'XSS'. I like terms that
fit definitions. Why are we lumping a malicious embedded
self-replicating javascript in the XSS bit-bucket?

The best term is probably Sverre's "Web Trojan". I don't
care about anyone's XSS definitions. It's already too
confusing for people not on these lists, and non-descriptive
terminology doesn't benefit anyone.

Maybe we should make this easy and call it: "embedded script injection".

The MySpace amusement is also a nice example of "Session
Riding" or CSRF without the cross-site. It could make a nice
new bullet point for WAF marketing. Something like:

"New and Improved: Stops Javascript AutoHero Trojans"

or perhaps for Oracle's CSO Mary:

"Stop hackers from becoming friends with you!"

But best of all it's a great example of how poorly-applied
one-time tokens (without enforcing entry and exit points,
and workflow) can be bypassed with a simple pre-GET request.

Notice how Sammy grabs the page hash before he submits
the request that requires that "authorization token".

If any of you remember, I used my AMAZING powers of prediction
coupled with analytical brilliance and natural hard-wired need
to both help and please others, to warn the world with an advisory
on this sort of thing:

http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=9&mode=thread&order=0&thol
d=0

I am sorry that the world press failed to notice in time.
Now, for days to come, hundreds of thousands of victims
may be forced to respect Sammy as their hero.

Evolving in Kansas,

Arian