[WEB SECURITY] Twitter XSS worms

Hoffman, Billy billy.hoffman at hp.com
Mon Apr 13 14:19:15 EDT 2009


Source code:

http://www.memestreams.net/users/acidus/blogid10337731/

To anyone who has looked at XSS/Ajax worms in the past this should look very familiar. Use Ajax to fetch a page, regexs to strip out needed tokens, 2nd request to update the profile with the worm's payload thus propagating it.

Actually it uses it uses synchronous request to simplify control flow by removing the use of callback functions.

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


-----Original Message-----
From: robert at webappsec.org [mailto:robert at webappsec.org] 
Sent: Monday, April 13, 2009 2:28 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Twitter XSS worms

Twitter got hit with a few xss worms this weekend. 

Here's there response to the issue
http://blog.twitter.com/2009/04/wily-weekend-worms.html

Additional reading.
http://www.f-secure.com/weblog/archives/00001653.html
http://status.twitter.com/post/95332007/update-on-stalkdaily-com-worm
http://www.networkworld.com/community/node/40825
http://www.networkworld.com/community/node/40822

- Robert
http://www.webappsec.org/
http://www.cgisecurity.com/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list