fromCharCode(34))
3. The word innerHTML was also ?¬? ltered by MySpace, which was needed by
Samy to post code on the pro?¬? le of the user who was currently viewing the
page. To get around this ?¬? ltering, Samy used eval(), which is used to evaluate
two strings in JavaScript and then can be used to put the strings together. For
example, the following JavaScript eval code will print the number 1108 by
evaluating strings a and b:
alert(eval("a=1100; b=108; (a+b); "));
The same method can be applied here to combine to strings values to bypass
?¬? lters. This method was used by Samy to combine the words inne with rHTML,
as shown below in a snippet of Samy??™s code:
alert(eval('document.body.inne' + 'rHTML'));
4. The word onreadystatechange was also ?¬? ltered by MySpace, which was needed
by Samy to use a XMLHTTPRequest to get the user??™s browser to make HTTP
GET and POST requests. To get around this ?¬? ltering, Samy also used the
eval() function, as shown next in a snippet of Samy??™s code. Notice how
eval() is used to combined xmlhttp.onread and ystatechange = callback:
eval('xmlhttp.onread' + 'ystatechange = callback');
From these input filtering bypass actions, Samy was able to perform the following
malicious JavaScript functions on MySpace:
??? Execute JavaScript
??? Use double quotes by converting decimal to ASCII
??? Use innerHTML with eval(), allowing code to be posted on a user??™s pro?¬? le
??? Use onreadystatechange eval(), forcing the user??™s browser to make
HTTP GET and POST request with XML-HTTP
After input filers were bypassed by Samy to run the critical function with JavaScript,
how were those functions actually executed? One of the primary reasons why the Samy
worm was successful was because XMLHTTPRequest can silently execute GET and
POST requests on behalf of the user.
Pages:
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218