Cut Payments Get Out of Debt
Today's Fresh Blogs...| MOMBY-00010010: Video Upload "title" Image Alt Text Error |
| Published: April 26, 2007, 2:07 am |
| Tags: No Xss |
| application of Myspace XSS filtering of common XSS elements, such as <script> tags, event handlers, style expression()s and the like. Also, most HTML elements are also correctly filtered. Perhaps the most interesting feature of this bug is that Myspace is clearly and correctly defending against the malicious leveraging of this bug, |
 Comments (0)
 Blog link
Rating: 0 
|
| MOMBY-00010001: Clickable "numberPagesBack" XSS |
| Published: April 24, 2007, 8:48 pm |
| Tags: Clickable, Xss |
| Clickable "numberPagesBack" XSS Noobz: **** LOLz: ** 0wnz: ** The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=http://momby.livejournal.com/data/misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS |
| Published: April 19, 2007, 11:09 pm |
| Tags: Base64, Ajax, Xss |
| "__VIEWSTATE" POST XSS Noobz: ** LOLz: **** 0wnz: *** 1/2An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.First, a simplified |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00001110: Careless Myspace Credential Theft (And comedianJoin XSS) |
| Published: April 19, 2007, 12:58 am |
| Tags: Passwords, 0wned, Salutes, Xss |
| Theft (And comedianJoin XSS)by special guest advisory author, teh_commodoren00bz: ******* LOLz: ******* 0wnz: .0375Just like all other bugs posted so far, this one relies on the user almost voluntarily revealing their authentication credentials. Troll livejournal accounts, and look for someone's authentication credentials. This may be |
|
Comments (0)
Blog link
Rating: 0
|
| Advisory MOMBY-00001100: Clickable "returnPath" XSS |
| Published: April 16, 2007, 10:03 pm |
| Tags: Clickable, Xss |
| Clickable "returnPath" XSS Press Embargo until April 16, 2007 Rankings: Noobs: **** LOLs: ** 0wnz: ** A pretty straight-forward XSS advisory for today. By supplying a user-defined value to the returnPath variable of the messageboard.posted application, attackers may supply a clickable javascript (or apparently any other protocol |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00001011: XSS "Space Invader" Evasion |
| Published: April 13, 2007, 5:16 pm |
| Tags: Xss, Evasion |
| attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms. First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS |
| Published: April 9, 2007, 9:22 pm |
| Tags: Fuseaction, Xss, Event Handler |
| "Fuseaction" Event Handler XSS Press Embargo until April 9, 2007 Rankings: Noobs: ** LOLs: ******* 0wnz: ***** A cross-site scripting vulnerability exists in the "index.cfm?fuseaction" web application on Myspace.com. Fuseaction is the main navigation application, common to nearly all aspects of the *.myspace.com domain. This XSS vector |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00000110: Myspace Jobs Search XSS |
| Published: April 6, 2007, 5:43 pm |
| Tags: Search Box, Xss, Event Handler |
| actually leveraging XSS to do something useful is left as an exercise to the reader. Google "XSS" and learn all about it. It's great fun and nobody takes XSS seriously. Example link: |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00000100: MySpace XSS (filter evasion) |
| Published: April 4, 2007, 9:00 pm |
| Tags: Xss Really |
| MOMBY-00000100: MySpace XSS (classifieds.searchCategory) Press Embargo until April 4, 2007 Rankings: Noobs: ** LOLs: **** 0wnz: *** 1/2 In MOMBY-00000011, we discussed a well-filtered HTML and link insertion in the classifieds.searchCategory on http://classifieds.myspace.com. Let's look again, shall we? Example url: |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00000011: MySpace HTML/Link Insertion (XSS Filtered) |
| Published: April 3, 2007, 5:29 pm |
| Tags: Tila Tequila, Html, Xss Notreally |
| MySpace HTML/Link Insertion (XSS Filtered) Press Embargo until April 3, 2007 Rankings: Noobs: *** LOLs: ** 0wnz: * 1/2 Lamer than MOMBY-00000010 is today's HTML insertion. In the "classifieds.searchCategory" application on classifieds.myspace.com, users may insert HTML and links to offsite/onsite URLs and have them displayed in the |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY-00000010: MySpace Link Poisoning (Clickable XSS) |
| Published: April 2, 2007, 9:19 am |
| Tags: Xss |
| align=center>greetz RSn%61ke!<br><iframe src=http://momby.livejournal.com width=666 height=666></iframe>%27); Screenshot: http://pics.livejournal.com/momby/pic/00004akh (Bonus bug: turns out, elfURL suffers some similar input validation problems which makes creating |
|
Comments (0)
Blog link
Rating: 0
|
| MOMBY eve! |
| Published: March 31, 2007, 2:47 pm |
| Tags: Overflows, Momby, Myspace, Bugs, Whatever, Xss, Mypsace |
| to create Samy-style XSS worms. Some can't. Some are third-party Myspace skinning bugs. Some allow unauthorized access to other people's profiles. At least one can be used to do something like this: http://news.google.com/news?hl=en&ned=&q=mccain+myspace&btnG=Search+Newsf) We don't believe we're the only people who |
|
Comments (0)
Blog link
Rating: 0
|
| HTTP_REFERER XSS Exploit Explained |
| Published: June 20, 2007, 12:09 pm |
| Tags: Web Development, Defensive, Escaping, Exploits, F Open, Html, Javascript, Login, Php, Programming, Redirect, Script, Security, Vulnerability, Xss |
| code that goes like this: XSS exploit field value ?return_url='"/> <script type="text/javascript">alert('XSS');</script> <input type="text" value="vulnerable to XSS Of course, the value after ?return_url= has to be urlencoded. The result is closing the hidden field, adding some javascript inside the code which alerts |
|
Comments (0)
Blog link
Rating: 0
|
| Reverse SEO: Kill The Competition And Fill The Void |
| Published: April 14, 2008, 5:57 am |
| Tags: Evil Seo, Seo Trends, Sql Injection, Xss, Seo Hackers, Hacking, Seo |
| technique is often called XSS (cross-site scripting) by the SEO community, but it is more properly recognised as plain HTML Injection. For a basic discussion of XSS see the Wikipedia entry. Increasingly, rivals are undermining each others search engine optimization efforts and page rankings by exploiting web application vulnerabilities |
|
Comments (0)
Blog link
Rating: 0
|
