myspace.com).
He found a script injection in his MySpace page by inserting an HTML div element with
a background image into the ???Heros??? section of his profile page. Here??™s the script injection:
Note that the javascript protocol handler has a line break in it. Interestingly, IE
does not delimit words with line breaks, so this
java
script:alert(1)
56
is interpreted as javascript:alert(1) by IE. Thus, the preceding code executed
alert(1). Note that Samy placed something a little more elaborate than simply
alert(1) in the expr parameter. The actual attack code in the expr parameter is
discussed in the next section.
Samy initially placed the div element with the script injection in his MySpace page.
When a MySpace user visited Samy??™s page, that user would execute the attack code. The
attack code would automatically insert itself into the victim??™s profile page, so anyone
who visits any victimized profile page will become yet another victim. Needless to say,
the worm spread fast, infecting 1 million users in less than 20 hours.
WRITING THE ATTACK CODE
The attack code performed three main tasks.
Pages:
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140