The example script shown works on Internet Explorer. A slightly more

The MySpace worm, which exploited a stored XSS vulnerability, employed

Ajax techniques, and provides a useful example of the kind of complex opera-

tions that can be carried out using this technology. The steps performed by the

worm’s payload included the following:

1. Parse the source code of the current page to extract the ID of the

MySpace user who is viewing it.

2. If the current page was issued by the domain 

profile.myspace.com

,

switch the location to 

with the same relative URL.

(The 

profile.myspace.com

while the 

www.myspace.com

domain can also be used to add new friends

and perform other tasks. Because 

XMLHttpRequest

can only be used to

make requests to the same domain that issued it, it is necessary to

switch domain before issuing requests to add friends.)

3. Parse the current page to extract the worm’s own source code, and

URL-encode it.

4. Make a 

GET

request to the user’s Add Friend page to extract the per-