Via DarkReading -
OCTOBER 24, 2006 | A researcher has published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme.
Called XSS fragmentation, the vulnerability consists of multiple chunks, or fragments, of JavaScript malware that can slip by a filter or firewall because individually they don't constitute a security risk. But when they are combined after hitting the site, they can then be dangerous.
XSS fragmentation is rare, but a potentially powerful vulnerability that could be used against community-based sites such as MySpace or Web-based mail systems, security experts say. MySpace in particular is vulnerable because it takes user-supplied content and stores it without adequate filtering, says Jeremiah Grossman, CTO of White Hat Security. An e-commerce site would not be at risk to this type of attack, he says.
No comments:
Post a Comment