This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Tuesday, October 18, 2005

MySpace Cross-Site Scripting Attack Probably Affects Others

Wow, this JavaScript cross-site scripting attack that hit MySpace includes some techniques that will probably break most defenses against XSS attacks. People should study what this guy did and update their regular expressions or whatever they use to strip out incomming submissions from the outside world to be more sophisticated:

"Sweet! Now we can do javascript with single quotes. However, myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's java<newline>script).
Example: <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">"

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]