If you create websites that require any kind of security hopefully you are familiar with the dangers of cross site scripting attacks. (If not, please let me know so I can stay clear…)
The other day MySpace got taken down by a XSS attack. The interesting thing about it was that (a) it used XMLHttpRequest to get around a multi-phase hash verification test and (b) the author has written about how they did it.
The attack itself is quite smart:
9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the “Are you sure you want to add this user as a friend” page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.
It is a worry though that he spent so long working out how to get it to work and yet after he deployed it:
7 hours later, 8:35 am: You have 74 friends and 221 friend requests.
Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah.1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it's exponential, isn't it. Shit.