Another day, another Twitter XSS
It may surprise some, but I really haven't been big on XSS lately, mostly because it's a problem that hasn't changed for years, and the most basic form of it is still brutally simple to exploit. Not a lot of excitement in it, I guess. But that doesn't mean that it doesn't deserve attention- in fact, that's exactly why it does. So when a new Twitter XSS popped up on my feed reader this morning, I took the 10 minutes it takes to write a proof of concept, and put together an exploit.
You can check it out if you like (It won't bite until you manually click the "pwn me" button, so the link is safe, but don't take my word for it, use NoScript and RequestPolicy). Frankly, if I wanted to hack you, I'd be doing it silently on this page, not that one.
I'll post a followup later. This example drives some pretty interesting points home.
You can check it out if you like (It won't bite until you manually click the "pwn me" button, so the link is safe, but don't take my word for it, use NoScript and RequestPolicy). Frankly, if I wanted to hack you, I'd be doing it silently on this page, not that one.
I'll post a followup later. This example drives some pretty interesting points home.
posted by mckt at
5:49 AM
1 Comments:
The first thing that happens is Fox pops the full-page cert warning for dev.twitter.com. I think most people will see a huge warning instead of a sploit...
By
Anonymous, At
September 6, 2010 3:35 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home