When will people learn? “Escaping” is the devil!

So MySpace.com gets knocked down by some Javascript hacking. XSS.

Here is the technical description of the exploit: link.

Here is the interview with the author of the code that took down the site: link

How did this happen? HTML and the tags with Javascript create a complex environment where it is difficult to prevent user generated input (which has security issues) from seeping into the system. The guy used simple escaping hacks to work around their security attempts.

Escaping is the devil.

When a system is so complex that there are 3 different ways to escape something, you will find that not everyone has the same level of compliance or security.

(as a side note, is it just me, or do the years before all computers became connected as one, The Internets… do those years appear as a blur of darkness? I mean, here is an interview with the guy who took down a site. I barely exerted any effort to achieve this information. In the dark times, this was not possible.)

This entry was posted in General. Bookmark the permalink.