Re: myspace hack

[Tom Gallagher <tom () SecurityBugHunter com>]

I talk with people about this issue often.  I've heard people call it 
many names
- one is Same Site Scripting.  When this name is used, there is often a
misunderstanding by people unfamiliar with the name.  The problem stems from
people having different ideas of what a site is.  Some people think of a web
site a fully qualified domain name and all directories in it.  However, other
people treat different URLs under the same domain as different sites.  For
example: www.example.com/user1 and www.example.com/user2 are different sites.

I personally like to use Same Domain Scripting.  The reason is when we look at
browser/web client bugs, we often talk about cross domain access.  This issue
doesn't allow for cross domain access, but instead access within the same
domain through script.  These attacks often don't require XMLHttp.

Just a thought...
Tom


Quoting Tim Brown <tmb () 65535 com>:

> On Friday 14 Oct 2005 15:29, Reynolds, Jake wrote:
> > I wouldn't consider this an XSS attack. Where in the attack did information
> > cross sites? This seems like it is an embedded XSS attack in that a
> > malicious script was entered into a profile in hopes that victims would
> > view and execute it. However, nothing was sent across sites via the script.
> > The vulnerability was a lack of output validation in my opinion, which is
> > the same vulnerability that an XSS attack would exploit. I don't know how
> > you would classify the attack... Probably "self-replicating session
> > riding". Yeah that has a nice FUD-factor to it.
>
> I coined the term Same Site Scripting to describe the act of abusing
> XMLHttpRequest whilst playing around with this attack vector for a paper I'm
> writing.  Anyone have a better suggestion?
>
> Cheers,
> Tim
> --
> Tim Brown
> <mailto:tmb () 65535 com>