Ben Cantrick (mackys) wrote,
Ben Cantrick
mackys today.

"ANTLR is a big topic, so this is a big article." - ANTLR is a programming language parser/lexer written in Java.

"So What is a Direct-Threaded, Register-Based, Bytecode Interpreter Anyway?" An introduction to SquirrelFish, Apple's fast new JavaScript interpreter.

And speaking of JScript...

The XSS Vulnerability

The Links you can add to your profile weren't escaped properly. Angle brackets (<) were stripped from the URL, but quotation marks were not. This allowed a very simple hack: I could just enter something resulting in the following HTML on my profile page:

<a href="" onmouseover="evilscript();" rel="me">FooBar</a>

Of course, this is only a tiny link on my profile page. How big is the chance for someone to mouse over it? Well, this was easily fixed with some CSS styles in my URL:

style="z-index:999999; position:absolute; top:0; left:0; font-size:200pt; text-decoration:none;"

Note the text-decoration:none; - this allowed me to enter something like     as the link description, resulting in an invisible layer floating above all the content (screenshot with visible characters instead of blanks). My Javascript code was executed as soon as someone visits the page. Perfect!

How many more reasons do you need to surf with JavaScript disabled by default? (Did this not convince you?)
Tags: reddit
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.