"mock" talked about XSS at this years YAPC::Europe in Birmingham a few
weeks ago. He had quite a few examples. His slides are at
http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code).
It goes without saying that it would be a bit unwise to test the URLs
mentioned in the talk.

my 2 cents

Hendrik

On 10/6/06, Jonathan Vanasco <[EMAIL PROTECTED]> wrote:

On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:

> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
>
> http://ha.ckers.org/xss.html

well, not MP related but

if you let users embed flash / etc in profile pages, make sure you
strip object tags -- just use the embed

also add
        allowScriptAccess="never"
        allownetworking="internal"

without that, you can use getURL from within flash to call arbitrary
code

most social networks have.   but i *think* friendster still hasn't
done it yet.. there's a popular hack amongst east-asian teens right
now to include a flash file onto their profile pages that includes an
external JS which alters the DOM tree to skin it any-which-way they
want.


// Jonathan Vanasco

| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -





--
Hendrik Van Belleghem
Spine - The backbone for your website - http://spine.sf.net


--
Hendrik Van Belleghem
Spine - The backbone for your website - http://spine.sf.net

Reply via email to