XMLHTTPRequest POST was used to perform this action,
which was again possible using item number 4 in the input ?¬? ltering bypass
section. Furthermore, while XMLHTTPRequest would restrict POSTs to pro?¬? le
.myspace.com because it is on a different domain, a pro?¬? le can be reached using
www.myspace.com/pro?¬? le (where pro?¬? le is the name of the user). Samy simply
replaced pro?¬? le.myspace.com with www.myspace.com and submitted the request.
The following sample code was used by Samy to force-convert pro?¬? le to www
for the requested user:
var
M=AS['friendID'];
if(location.hostname=='profile.myspace.com'){
document.location='http://www.myspace.com'
+location.pathname+location.search
}
else{
if(!M){
getData(g())
}
Using these steps, Samy was able to perform the following malicious JavaScript
functions on MySpace:
??? Force the user??™s browser to perform GETs by XMLHTTPRequest
??? Search the current source page of the user
??? Force the user??™s browser to perform POSTs by XMLHTTPRequest
110 Hacking Exposed Web 2.0
These executed actions, combined with the input filtering bypass actions, allowed
Samy to do basically anything he wanted via JavaScript and AJAX (XMLHTTPRequest)
once a user visited his MySpace page.
Pages:
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220