Anyway, here's the exploit:
<body onLoadmoz-binding="alert('XSS');">As you can see if you run that moz-binding is changed to .., and we are left with the following:
<body onLoad..="alert('XSS');">So from this I think we can quite safely assume that they have a few separate modules which have their go at the code in order, and if something gets changed to something dangerous, but the module that would filter that particular dangerous code out has already run (the non-alpha-non-digit filtering module), then the code is allowed through.
Isn't black box auditing fun? You end up making guesses that are quite often so very wrong but fit your results, :p.
3 comments:
Hey nice find there, Seems like once again there filter plays in the wrong direction.
Yeah, it definately does, but this is what comes of having to have your developers write security software without consulting anybody. Or so I'm guessing.
I wonder; if there was an Open Source ColdFusion XSS Filter, do you think MySpace would use it?
Hmmm as a matter of fact i think they would.
For some reason I could imagine the developers all working on the myspace XSS filters all at the same time with out letting the other developers know what changes they was making or even letting the other developers know they was working on it.
Post a Comment