Sunday, July 4, 2010

XSS on youtube

I just wrote a mail to the google security team, but I'm sure they're aware of it already anyways. I was telling them about a html injection attack on youtube that's going on. Apparently comments aren't properly escaped so this will actually put a marquee on the page:

<script>IF_HTML_FUNCTION?<marquee><b>Woot!<script>



Supposedly, this XSS attack works too, but I couldn't confirm it:

<script>IF_HTML_FUNCTION?<body onload="while(1){ alert('Woot!'); }"><script>

Edit: Reddit has a good discussion on it.

No comments: