NEWS FROM THE LAB - Tuesday, August 1, 2006

Why Not MySpace? Posted by SGMasood @ 15:09 GMT

After reading our post on Web Application Worms, XSS and social-networking sites, several bloggers have wondered why we didn't test MySpace, since that website's past security issues is what prompted our testing. Some even speculated if one of the two sites we were talking about was MySpace.

Demetri Martin - The Daily Show

No, one of the two vulnerable sites was not MySpace. And, well, we did look at MySpace, though it was a quick and dirty test just like with the other sites and nothing comprehensive. What we found was that MySpace appears to have a lot of defenses in place for preventing XSS and those defenses seem to work pretty well. It might be a direct response to all the current attention the website is getting because of its recent security issues. It is good to see websites taking security seriously, but unfortunately we cannot say this about most websites we come across.

In the earlier post, we recommended that users should patch their machines and web developers should start coding secure applications. The truth is that patching and using antiviruses will protect users only in case a browser exploit is used by the XSS exploit (which can be a web application worm). In most cases, patching and using traditional security tools will not protect you from XSS exploits.

The only solution lies with the web developers and administrators. Their users' security is truly in their hands alone.

The guys over at SPIDynamics have recently published an interesting paper and Proof of Concept that expand the limit of what's possible with javascript malware.