MySpace Cross-Site Scripting Attack Probably Affects Others
Wow, this JavaScript cross-site scripting attack that hit MySpace includes some techniques that will probably break most defenses against XSS attacks. People should study what this guy did and update their regular expressions or whatever they use to strip out incomming submissions from the outside world to be more sophisticated:
"Sweet! Now we can do javascript with single quotes. However, myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's java<newline>script).
Example: <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">"
"Sweet! Now we can do javascript with single quotes. However, myspace strips out the word "javascript" from ANYWHERE. To get around this, some browsers will actually interpret "java\nscript" as "javascript" (that's java<newline>script).
Example: <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">"
Comments