Luny emailed me earlier today with a few cross site scripting vulnerabilities in 43things.com (which is sorta like technorati.com - which too may have these types of issues). One of them was using the @import function in style sheets with embedded and obfuscated JavaScript. It’s a pretty obfuscated method that only works in IE and Netscape 8.0 (see the XSS Cheat Sheet for details). Additionally he was able to inject using javascript directive. This may end up solving itself with IE7.0 in the future, but for now it’s still a big issue.
Here are the screenshots:

1. Injecting @import XSS in a style sheet for 43things.com
2. Injecting remote script source XSS into 43things.com
3. Injecting image with javascript directive XSS on 43things.com
4. Injecting image with javascript directive XSS on 43things.com part 2

The reason I think this is in particular a big deal is because of the sheer size of this site. Popularity inherantly increases the virulance of XSS worms based off the platform. If you look at how Samy and Yamanner worked, this really wasn’t the most effective use of these worms, by any regard, but it could have been way way worse. People will ask if Web2.0 is being given a bad name because of these types of attacks, and the answer is a resounding yes. The browsers are inable to distinguish between automated attacks and intended behavior, and the webserver technology is unable to detect or prevent it. It’s probably worth discussing cross site scripting detection in more detail later, but for now, enjoy Luny’s work. Thanks Luny!

/RSnake

This entry was posted on Tuesday, June 13th, 2006 at 9:43 pm and is filed under XSS, Webappsec. You can leave a response as well.