This site is soon to be deprecated by http://www.johnleitch.net

Sunday, August 30, 2009

Insecure IFrame - Myspace.com

The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.

http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/

2 comments: