This site is soon to be deprecated by http://www.johnleitch.net

Sunday, August 30, 2009

Insecure IFrame - Myspace.com

The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.

http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/

Sunday, August 16, 2009

Bypassing Myspace IM XSS Filters - Myspace.com

The filtering Myspace IM uses is rather aggressive. Regardless of context, document. is changed to document· and eval() to ..). By using percent-encoding and JavaScript escaped hex sequences this can be circumvented.

The vulnerability (only works when logged in):
http://myspace.com/index.cfm?fuseaction="};alert(0);var x={"":"

The vulnerability re-encoded to bypass IM filters:
http://myspace.com/index.cfm?fuseaction=%22};%65val('alert(document%5Cx2Ecookie)'%29;var%20x={%22%22:%22