On Mon, 17 Apr 2006 11:31:51 EDT, v9 said:
samy's worm was stored on the server and shown to all who viewed his
myspace page. these kind of XSS are in a url you'd have to create
yourself, you wouldn't ever stroll across this, as you have to make it in
the url to work.

This is still a threat if the attacker is able to use social engineering to
increase the chances somebody will click on it. Goatse isn't something
somebody would stroll across either, but you certainly see enough attempts
to put links to it in Slashdot postings...

so as i said before, encoded/phishing (emails) is about the only possible
use for these that i can see, and not even to a good extent(easier
to just use the usual <A HREF> style misdirection, and has more options).
if someone can tell me otherwise, post a RELATED reply. (ie. in-url XSS)

Using <A HREF> *is* certainly easier, and the cost of admission is basically
the same for both - you need to entice the user to click the link. The difference
is in what your *goal* is. If you want them to visit some *other* page, a simple
anchor works. If you want to execute some Javascript in *this* page's context,
you'll be looking for an XSS.....

Attachment: pgpVDGbkv5yc8.pgp
Description: PGP signature

Relevant Pages

  • RE: [Full-disclosure] about that new MySpace XSS worm
    ... >> within the .swf there was a GetURLcall to the target XSS at MySpace. ... Not a worm but a PoC;o) ...
  • Re: XSS
    ... than a regular XSS stored at server side. ... i'm quite aware of samy's myspace worm, good idea, ... Espacio para todos tus mensajes, ...
  • Re: XSS
    ... folks, enough with the unrelated XSS stories, for the last time, ... i'm quite aware of samy's myspace worm, good idea, however that is ... paper relating to XSS viruses and their differences ...
  • Re: XSS
    ... I was always under the impression that the samy worm ... style was not XSS at all, but HTML injection. ... i'm quite aware of samy's myspace worm, good idea, ...