http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/
Sunday, August 30, 2009
Insecure IFrame - Myspace.com
The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.
http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/
http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/
Subscribe to:
Post Comments (Atom)
Its quiet interesting. After reading this I thought it was very informative. I appreciate you taking the time to put this blog piece together. Wildcard SSL
ReplyDelete