Sunday, January 28, 2007

More Myspace XSS Fun

Via -

This is perhaps one of the weirdest vectors I’ve come across. It took me a while to figure out why this was happening, but after some time it became clear. SystemOfAHack sent me this vector a few days ago, but I was unable to get all the peices put together until now. MySpace allows users to enter HTML as we all know. But due to an open ended div tag and overwriting a class with a set id that MySpace uses, SystemOfAHack was able to execute XSS.


See RSnake's blog to see the full code example.

No comments:

Post a Comment