WebApp Sec mailing list archives
MySpace XSS Istanbul now Cross-Stantinople
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 14 Oct 2005 13:47:52 -0500
MySpace: Is it XSS variant: x, or CSRF, or SR, or... There's no cross-site in this 'XSS'. I like terms that fit definitions. Why are we lumping a malicious embedded self-replicating javascript in the XSS bit-bucket? The best term is probably Sverre's "Web Trojan". I don't care about anyone's XSS definitions. It's already too confusing for people not on these lists, and non-descriptive terminology doesn't benefit anyone. Maybe we should make this easy and call it: "embedded script injection". The MySpace amusement is also a nice example of "Session Riding" or CSRF without the cross-site. It could make a nice new bullet point for WAF marketing. Something like: "New and Improved: Stops Javascript AutoHero Trojans" or perhaps for Oracle's CSO Mary: "Stop hackers from becoming friends with you!" But best of all it's a great example of how poorly-applied one-time tokens (without enforcing entry and exit points, and workflow) can be bypassed with a simple pre-GET request. Notice how Sammy grabs the page hash before he submits the request that requires that "authorization token". If any of you remember, I used my AMAZING powers of prediction coupled with analytical brilliance and natural hard-wired need to both help and please others, to warn the world with an advisory on this sort of thing: http://www.anachronic.com/modules.php?op=modload&name=News&file=article&sid=9&mode=thread&order=0&thol d=0 I am sorry that the world press failed to notice in time. Now, for days to come, hundreds of thousands of victims may be forced to respect Sammy as their hero. Evolving in Kansas, Arian
Current thread:
- MySpace XSS Istanbul now Cross-Stantinople Evans, Arian (Oct 14)