The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

The features that make stored XSS vulnerabilities potentially very serious are

evident in real-world examples of exploitation in the wild. 

Web mail applications are inherently at risk of stored XSS attacks, because of

the way they render email messages in-browser when viewed by the recipient.

Emails may contain HTML-formatted content, and so the application is effec-

tively copying third-party HTML into the pages that it displays to users. If an

attacker can send a victim an HTML-formatted email containing malicious

JavaScript, and if this does not get filtered or sanitized by the application, then

the victim’s web mail account may be compromised solely by reading the email.

Applications like Hotmail implement numerous filters to prevent JavaScript

embedded within emails from being transmitted to the recipient’s browser.

However, various bypasses to these filters have been discovered over the years,

enabling an attacker to construct a crafted email that succeeds in executing arbi-

trary JavaScript when viewed within the web mail application. Because any

user reading such an email is guaranteed to be logged in to the application at

the time, the vulnerability is potentially devastating to the application.

The social networking site MySpace was found to be vulnerable to a stored

XSS attack in 2005. The MySpace application implements filters to prevent

users from placing JavaScript into their user profile page. However, a user

called Samy found a means of circumventing these filters, and placed some

JavaScript into his profile page. The script executed whenever a user viewed

this profile and caused the victim’s browser to perform various actions with

two key effects. First, it added the perpetrator as a “friend” of the victim. Sec-

ond, it copied the script into the victim’s own user profile page. Subsequently,

anyone who viewed the victim’s profile would also fall victim to the attack. To

perform the various requests required, the attack used Ajax techniques (see the

“Ajax” sidebar at the end of this section). The result was an XSS-based worm

that spread exponentially, and within hours the original perpetrator had

nearly one million friend requests, as shown in Figure 12-6.

As a result, MySpace was obliged to take the application offline, remove the

malicious script from the profiles of all their users, and fix the defect in their