Looks like 2007 improved XSS awareness in the "mainstream" media outlets too.
The Register recently published a report about the Orkut XSS worm. It's not the first time, here's a list of XSS worms and some already hit The Register's columns, but the level of understanding is visibly getting better. This is clearly good, because XSS worms are becoming more and more common. While at this moment we can mainly see goliardic demonstrations, like this nice hi5.com Xmas gift by my friend Sirdarckcat, we should all be worried of how easy and quick to find and exploit this kind of web application flaws is, and ready for the real scams that are unavoidably coming (like this), thanks to the growing importance of so called "Web 2.0 social networks" and other web services in our private and business lives.

The Register has also "discovered" Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat's attack on RSnake was based on that.

The good news is that you, dear NoScript user, are already immune from both the aforementioned XSS worms, which are based on cross-site XBL (something which is also mitigated by Firefox 3) and more generally on 3rd party script inclusion.
Even better, you're also protected against Flash-based XSS, included RSnake's kind, now in NoScript default configuration: latest NoScript, in facts, won't run Flash applets (and other plugins) even if hosted on trusted sites, when they're embedded or linked from an untrusted site. In other words, it prevents browser plugins from being exploited for XSS in its very definition.

java&
#x73;cript:
\u0061\u006c\u0065\u0072\u0074\u0028\u0022
\u0048\u0061\u0070\u0070\u0079 " + 0x07D8)

8 Responses to “Merry XssMas”

  1. #1 sirdarckcat says:

    Happy 2008!!

    Santa has 110 friends!! and they are all infected, it's going pretty slow..

    and yeah :P Santa is not as hot as sammy, but this worm whishes you merry christmas every 3 seconds, that's cool isn't it?

    btw I think I found a way of bypassing reCaptcha... awezome..

  2. #2 Mads Dam says:

    Hi, I just noticed hackademix.net after the latest update of NoScript.

    I've barely begun reading it, so I have no comments yet, only a single question:

    You're italian, but your IP location seem to be danish..?

    (My own IP-location is also Denmark, but then again, I live there.)

    How can geolocation be that MUCH off, I'm puzzled. Could you enlighten me..?

    Regards Mads Dam

  3. #3 Giorgio says:

    @sirdarkcat:
    Nice, it's a bit I'm entertaining the idea of replacing ReCaptcha (the IFRAME-based fallback is a bit cumbersome, but I've got no time at all :(

    @Mads Dam:
    Geolocation is telling the truth.
    It's a small world, and it's good placing servers here and here, when you can: you never know, calamities, wars... happy 2008!

  4. #4 Mads Dam says:

    Thanks for the geolocation-answer; now I'm less puzzled.

    I have blog-like section on my site, and I have just recommended NoScript.
    Is it ok to include the NoScript logo (http://noscript.net/noscript/logo.png)

    The blog I'm referring to is here: http://blog.madsdam.net

    Merry NewYear!

  5. #5 Giorgio says:

    @Mads Dam:
    no problem with the logo.
    Cheers :)

  6. #6 yawnmoth says:

    I'm trying to get this particular vector working and am having some difficulty.

    http://www.frostjedi.com/terra/scripts/demo/moz-binding.php

    Any ideas as to why that's not working?

  7. #7 Giorgio says:

    @yawnmoth:
    Yes, cross-site -moz-binding support (including data: URLs from non chrome: origins) has been removed from final Firefox 3.0 release.

  8. #8 yawnmoth says:

    Oh. Well... I guess that explains it, then, heh. Honestly, I've not, yet, seen a legit use of -moz-binding, be it cross-site or otherwise.

Bad Behavior has blocked 1312 access attempts in the last 7 days.