This site is soon to be deprecated by http://www.johnleitch.net

Sunday, August 30, 2009

Insecure IFrame - Myspace.com

The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.

http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/

1 comment:

  1. Its quiet interesting. After reading this I thought it was very informative. I appreciate you taking the time to put this blog piece together. Wildcard SSL

    ReplyDelete