Cenzic 232 Patent
Paid Advertising
web application security lab

Another MySpace XSS Through an API

One of the things I love to talk about when I’m ranting about the improper use of the same origin policy to dictate how we as security professionals are auditing a website is the use of APIs. Hackers don’t care that your browser sees them as different domains. If they can attack the API and that API has access to the same data that the main website does, but without the controls in place to lock it down, that much the better. Anyway, all of this and much much more will be covered in the OWASP preso that I’m doing in Minnesota on Feb 11th, for those of you who live nearby. But let me return to my rant for a second.

I’ve seen lots of examples of this in the wild, but for various reasons I haven’t been able to talk about them specifically until now. Rosario Valotta found an XSS in MySpace using the mobile API. MySpace being plagued with XSS vulns is really nothing new, but this is actually pretty interesting to me because it’s the first time I can publically point to a place where the API is the conduit for the attack. Where you’d normally be unable to enter JavaScript, on the mobile API the filters don’t exist. Good for bad guys, bad for consumers.

As Rosario pointed out, although this does end up on MySpace it wouldn’t make for a good worm, as the mobile platform doesn’t use the same credential as the website, so it would be impossible to propagate unless someone happened to be logged into the mobile platform when they visited an attacker’s malicious profile. Yes, folks, APIs need to be secured in the same way the website is. You are only as strong as the weakest link, and if you aren’t auditing those APIs you aren’t finding all your holes. Nice work by Rosario!

3 Responses to “Another MySpace XSS Through an API”

  1. Claudio Criscione Says:

    I agree with you, API are the next hot topic in the never-ending story of web 2.0 insecurity. I’ve been experimenting with some less-important site’s API, and found very interesting stuff. Auditing API necesse est !

  2. John Ther Says:

    Input filtering without output filtering owns again….

  3. S Says:

    damned, seems so be fixed! so once again, no way to put in js in your profil.