Just so everyone knows this post is going to be really techy.
Oh so there is/was this twitter xss problem over the last few days. xss is cross site scripting, aka getting your own script to run on someone elses site. It can be used for a ton of different things like getting passwords/spam and quite a few other things.
It seem’s like twitter’s problem was they weren’t sanitizing the data that they were given. Twitter was made with RoR, something I havent used but im assuming there is something built in to sanitize data. There is stuff in php that lets you strip html tags or you can make sure its encapsulated in a string.
Anyway here are links to the different versions of the js that was used. They give greate insight into how these things work. First version. Last version (at the time of writing). Anyway i’ve never wrote any js before. I’ve done java though so a lot of that makes sense. I can walk through most of it and explain what is going on.
If your wondering how it spreads just by viewing somone’s tweets check out either line 104 on the first version or line 108 on the last version. That script is being inserted and being sent as html because it is not sanitized.
Pretty interesting.
0 notes / Permalink
