"mock" talked about XSS at this years YAPC::Europe in Birmingham a few weeks ago. He had quite a few examples. His slides are at http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code). It goes without saying that it would be a bit unwise to test the URLs mentioned in the talk. my 2 cents Hendrik On 10/6/06, Jonathan Vanasco <suppressed> wrote:
On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:
> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
>
> http://ha.ckers.org/xss.html
well, not MP related but
if you let users embed flash / etc in profile pages, make sure you
strip object tags -- just use the embed
also add
allowScriptAccess="never"
allownetworking="internal"
without that, you can use getURL from within flash to call arbitrary
code
most social networks have. but i *think* friendster still hasn't
done it yet.. there's a popular hack amongst east-asian teens right
now to include a flash file onto their profile pages that includes an
external JS which alters the DOM tree to skin it any-which-way they
want.
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
-- Hendrik Van Belleghem Spine - The backbone for your website - http://spine.sf.net -- Hendrik Van Belleghem Spine - The backbone for your website - http://spine.sf.net
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.