Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
New 0-day Myspace XSS
Posted by: Fugitif
Date: May 21, 2009 04:35PM

hi
what about this new xss on myspace.com :)



http://www.youtube.com/watch?v=tTkOPxv9L4M


more screenshot and poc

http://nemesis.te-home.net/News/20090521_Myspace_Critical_XSS_Bugs.html

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: PaPPy
Date: May 21, 2009 06:06PM

wow thats so easy, but it seems fixed...
but IE7 works....

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 05/21/2009 06:11PM by PaPPy.

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: Spyware
Date: May 22, 2009 06:20PM

0-day? I doubt it.

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: marluxia
Date: May 25, 2009 05:50AM

funnily enough the myspace session identifier cookie (USER) is protected with HttpOnly, so cookie theft is pretty much useless :(((((((((((((

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: PaPPy
Date: May 25, 2009 08:00AM

i havent tried but could you do CSFR?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: Anonymous User
Date: May 25, 2009 09:47AM

Cross Site Fequest Rorgery?

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: Kyo
Date: May 25, 2009 10:58AM

you could also try grabbing data from form autocomplete functions

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: PaPPy
Date: May 25, 2009 01:21PM

thats funny mario, as i was typing it i corrected myself incorrectly
my bad, it was pre-morning caffeine

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: New 0-day Myspace XSS
Posted by: Anonymous User
Date: May 25, 2009 04:43PM

Hehe no worries - just kidding ;)

Options: ReplyQuote


Sorry, only registered users may post in this forum.