I remember the vulnerability now known as "stored xss" being an issue as far
back as 1996-ish on web based forums, but I don't think it had any name at
that time.
Jeff Robertson
Manager of Web Application Security
Digital Insight
> -----Original Message-----
> From: Richard M. Smith [mailto:rms (at) computerbytesman (dot) com [email concealed]]
> Sent: Friday, October 14, 2005 11:14
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: RE: myspace hack
>
>
> I believe that Microsoft first came up with the cross-site
> scripting name.
> They wrote a paper on the subject around 2002.
>
> "Script injection" does sound like a more descriptive and
> accurate name.
>
> Richard
>
> -----Original Message-----
> From: Jeff Robertson [mailto:Jeff.Robertson (at) DigitalInsight (dot) com [email concealed]]
> Sent: Friday, October 14, 2005 10:55 AM
> To: 'Reynolds, Jake'; Chris Varenhorst; Akash
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: RE: myspace hack
>
> The name "XSS" does not make sense in a lot of its applications.
>
> What "Stored XSS" and "Reflected XSS" have in common is the
> injection of
> script into places where script wasn't supposed to be. Having
> more than one
> site be involved is not the factor. What has been discussed
> in this thread
> seems to me like it falls under "Stored XSS".
>
> It would make more sense if this was called "script
> injection", but for some
> reason the whole family was named XSS.
>
> Who the heck names these things, anyway?
>
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Reynolds, Jake [mailto:Jake.Reynolds (at) fishnetsecurity (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 10:30
> > To: Chris Varenhorst; Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> >
> > I wouldn't consider this an XSS attack. Where in the attack did
> > information cross sites? This seems like it is an embedded
> XSS attack
> > in that a malicious script was entered into a profile in hopes that
> > victims would view and execute it. However, nothing was sent across
> > sites via the script. The vulnerability was a lack of output
> > validation in my opinion, which is the same vulnerability
> that an XSS
> > attack would exploit. I don't know how you would classify the
> > attack... Probably "self-replicating session riding". Yeah
> that has a
> > nice FUD-factor to it.
> >
> >
> > Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> Senior Security
> > Engineer -- Consulting Services FishNet Security
> >
> > Phone: 816.421.6611
> > Toll Free: 888.732.9406
> > Fax: 816.421.6677
> >
> > http://www.fishnetsecurity.com
> >
> > -----Original Message-----
> > From: Chris Varenhorst [mailto:varenc (at) MIT (dot) EDU [email concealed]]
> > Sent: Thursday, October 13, 2005 8:39 AM
> > To: Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: Re: myspace hack
> >
> > Oh wow I'm wrong, I'm apparently thinking of current myspace bots
> > which do as I described. It looks this was in fact made
> possible by
> > an XSS vulnerability.
> > Sorry
> >
> > On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> >
> > > This isn't hacking at all. (at least not what I'd call
> it) This is
> > > writing a script to go through myspace IDs (which
> > happen to be
> > > squential) issuing friend requests to every one of them.
> To prevent
> > > this, now myspace limits friend requests to a certain
> > number per day.
> > > Hope that covers it!
> > >
> > > -Chris
> > >
> > > On Thu, 13 Oct 2005, Akash wrote:
> > >
> > > > Does anyone has more technical details about how 1
> > million accounts
> > > got hacked in about 24 hours.
> > >
> > > This is the supposed confession of the hacker
> > > http://fast.info/myspace/
> > >
> > > I currently studying for CEH and just finished reading
> about XSS. So
> > > this is of special interest.
> > >
> > > regards
> > >
> > > akash
> > >
> >
>
mentioned links to:
http://www.cert.org/advisories/CA-2000-02.html
http://webmonkey.wired.com/webmonkey/00/18/index3a.html
http://httpd.apache.org/info/css-security/
All of which are from 2000.
I remember the vulnerability now known as "stored xss" being an issue as far
back as 1996-ish on web based forums, but I don't think it had any name at
that time.
Jeff Robertson
Manager of Web Application Security
Digital Insight
> -----Original Message-----
> From: Richard M. Smith [mailto:rms (at) computerbytesman (dot) com [email concealed]]
> Sent: Friday, October 14, 2005 11:14
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: RE: myspace hack
>
>
> I believe that Microsoft first came up with the cross-site
> scripting name.
> They wrote a paper on the subject around 2002.
>
> "Script injection" does sound like a more descriptive and
> accurate name.
>
> Richard
>
> -----Original Message-----
> From: Jeff Robertson [mailto:Jeff.Robertson (at) DigitalInsight (dot) com [email concealed]]
> Sent: Friday, October 14, 2005 10:55 AM
> To: 'Reynolds, Jake'; Chris Varenhorst; Akash
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: RE: myspace hack
>
> The name "XSS" does not make sense in a lot of its applications.
>
> What "Stored XSS" and "Reflected XSS" have in common is the
> injection of
> script into places where script wasn't supposed to be. Having
> more than one
> site be involved is not the factor. What has been discussed
> in this thread
> seems to me like it falls under "Stored XSS".
>
> It would make more sense if this was called "script
> injection", but for some
> reason the whole family was named XSS.
>
> Who the heck names these things, anyway?
>
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Reynolds, Jake [mailto:Jake.Reynolds (at) fishnetsecurity (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 10:30
> > To: Chris Varenhorst; Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> >
> > I wouldn't consider this an XSS attack. Where in the attack did
> > information cross sites? This seems like it is an embedded
> XSS attack
> > in that a malicious script was entered into a profile in hopes that
> > victims would view and execute it. However, nothing was sent across
> > sites via the script. The vulnerability was a lack of output
> > validation in my opinion, which is the same vulnerability
> that an XSS
> > attack would exploit. I don't know how you would classify the
> > attack... Probably "self-replicating session riding". Yeah
> that has a
> > nice FUD-factor to it.
> >
> >
> > Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> Senior Security
> > Engineer -- Consulting Services FishNet Security
> >
> > Phone: 816.421.6611
> > Toll Free: 888.732.9406
> > Fax: 816.421.6677
> >
> > http://www.fishnetsecurity.com
> >
> > -----Original Message-----
> > From: Chris Varenhorst [mailto:varenc (at) MIT (dot) EDU [email concealed]]
> > Sent: Thursday, October 13, 2005 8:39 AM
> > To: Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: Re: myspace hack
> >
> > Oh wow I'm wrong, I'm apparently thinking of current myspace bots
> > which do as I described. It looks this was in fact made
> possible by
> > an XSS vulnerability.
> > Sorry
> >
> > On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> >
> > > This isn't hacking at all. (at least not what I'd call
> it) This is
> > > writing a script to go through myspace IDs (which
> > happen to be
> > > squential) issuing friend requests to every one of them.
> To prevent
> > > this, now myspace limits friend requests to a certain
> > number per day.
> > > Hope that covers it!
> > >
> > > -Chris
> > >
> > > On Thu, 13 Oct 2005, Akash wrote:
> > >
> > > > Does anyone has more technical details about how 1
> > million accounts
> > > got hacked in about 24 hours.
> > >
> > > This is the supposed confession of the hacker
> > > http://fast.info/myspace/
> > >
> > > I currently studying for CEH and just finished reading
> about XSS. So
> > > this is of special interest.
> > >
> > > regards
> > >
> > > akash
> > >
> >
>
[ reply ]