Whelp, V-Wall is at it again - finding more XSS vulnerabilities in MySpace. This is a pretty interesting one, because I think it proves a few points that are worth discussing. First of all, let’s just show the exploits in action:
So here’s the deal. MySpace sees his vector which is onload\_= which uses the non-alpha-non-digit XSS vector. That works in FireFox. Now, MySpace decides to modify the forward slash and turn it into “..” which they think will break his vector. Oh contrare! It then looks like onload.._= which doesn’t change the vector one bit!
Lessons learned? 1) Don’t modify vectors if you don’t know what you’re doing. 2) Make certain you have checked all vectors with your conversion filters and 3) Don’t accept HTML, duh!. Well that last one is mine, but really, if you can help it, don’t allow users to enter stuff that can execute code. This would allow MySpace to be vulnerable to another worm, account take-overs or worse. Ouch. Thanks to V-Wall for the info!