lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Jul 2007 16:51:22 +0100
From: "Berend-Jan Wever" <berendjanwever@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: First cross-domain XSS worm (not)

Hi all,

I recently stumbled upon this;
http://ha.ckers.org/blog/20070709/nduja-cross-domainwebmail-xss-worm/
In short: It mentions a "new" kind of XSS worm; one that can infect multiple
domains. I attempted to reply but my reply mysteriously never made it to the
page. In an attempt to set the record straight on XSS worms, I'll post my
reply here:

(Cross-domain) XSS worms are much older than Samy or Nudja:
http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00122.html
It's been 5 years, I can see how you forgot about it. Samy and Nudja can
claim the prize for the first _publicly_released_ XSS worms, but they are
definately not the first of their kind. Also, it is a misconception to think
that worms can only exists because of Ajax; a worm can just as easily spread
without XMLHTTPRequest. I've been told that people saw XSS worms as early as
2000, but I have found no evidence to support this: let me know if you know
something.

Cheers,
SkyLined

-- 
Berend-Jan "SkyLined" Wever <berendjanwever@...il.com>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists