?

Log in

No account? Create an account
programming.reddit.com today. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2008-06-06 13:51
  Subject:   programming.reddit.com today.
Public
  Tags:  reddit

"ANTLR is a big topic, so this is a big article." - ANTLR is a programming language parser/lexer written in Java.




"So What is a Direct-Threaded, Register-Based, Bytecode Interpreter Anyway?" An introduction to SquirrelFish, Apple's fast new JavaScript interpreter.



And speaking of JScript...

The XSS Vulnerability

The Links you can add to your profile weren't escaped properly. Angle brackets (<) were stripped from the URL, but quotation marks were not. This allowed a very simple hack: I could just enter something resulting in the following HTML on my profile page:

<a href="http://www.google.com" onmouseover="evilscript();" rel="me">FooBar</a>

Of course, this is only a tiny link on my profile page. How big is the chance for someone to mouse over it? Well, this was easily fixed with some CSS styles in my URL:

style="z-index:999999; position:absolute; top:0; left:0; font-size:200pt; text-decoration:none;"

Note the text-decoration:none; - this allowed me to enter something like     as the link description, resulting in an invisible layer floating above all the content (screenshot with visible characters instead of blanks). My Javascript code was executed as soon as someone visits the page. Perfect!


http://www.phoboslab.org/log/2008/06/how-i-hacked-digg

How many more reasons do you need to surf with JavaScript disabled by default? (Did this not convince you?)
Post A Comment | | Link






browse
May 2015