Update: You may also want to look at:更新:您可能也想要看看: MySpace Hack: How To View Any Users Private Videos myspace哈克:如何看待任何用户的私人影片 .

Recently最近 Samy德萨米 [samy at namb dot la] released a worm ["Samy worm" or "JS.Spacehero worm"] in MySpace, popular social networking platform like Friendster, which caused him to be added as hero to millions of MySpace users (”but most of all, samy is my hero.”) as well as add him as their friend, all without their explicit permission. [德萨米在北美传道部斑点香格里拉]发布了一个蠕虫[ “德萨米蠕虫”或“ js.spacehero蠕虫” ]在MySpace上,流行的社交网络平台一样,和Friendster ,这使他增加一条,作为英雄,数以百万计的MySpace上的用户( “但最所有,德萨米是我的英雄“ ) ,以及添加他为他们的朋友,都没有他们的明确许可。

After flooding the Network, MySpace stepped in and fixed the hole.水浸后,网络,在MySpace上加强和固定孔。 Samy is still “hero” to millions of MySpace users in their profile.德萨米仍是“英雄” ,数以百万计的MySpace上的用户在他们的个人资料。

The purpose of this article is to highlight the security issues exposed by this worm.本文的目的是要强调安全问题所暴露出来的这种蠕虫病毒。 It is definitely not limited to MySpace alone and the worm propagated not due to MySpace’s fault but fault of browser like Internet Explorer.这绝对不是仅限于MySpace上单独和蠕虫病毒传播并不是因为MySpace上的故障,但故障的浏览器如Internet Explorer 。 And the flaw is waiting to be exploited in several other web applications of similar nature like Ryze or LinkedIn etc..和缺陷是等待被剥削,在其他几个Web应用程序类似性质的一样, ryze或LinkedIn的等。 In the remainder of this article I will summarize the modus-operandi of his script and suggest on ways to protect your web application against such attacks.在本文的其余部分,我会总结的手法-的运作,他的脚本,并建议就如何保障您的Web应用程序对此类攻击。

Samy used AJAX to add himself as a friend and hero when users visited his page.德萨米使用Ajax的添加自己作为一个朋友和英雄,当用户访问其网页。 This requires Javascript to be executed in the browser which does the dirty work.这需要JavaScript来执行,在浏览器是否肮脏的工作。

MySpace dutifully eliminates javascript from users html (which becomes their profile). MySpace上尽职尽责地消除了用户的JavaScript的HTML (即成为他们的个人资料) 。 However Sammy disguised the word javascript with an embedded newline - “java\nscript”.但萨米变相字的JavaScript与嵌入式换行符-“华\ n script” 。

MySpace doesn’t allow script tags. MySpace上是不容许的脚本标记。 So he embedded his javascript in CSS - style=”background:url(’javascript:eval(document.all.mycode.expr)’)”因此,他嵌入式他的JavaScript在CSS -作风= “背景:网址( '的J avaScript: e val( d ocument.all.mycode.expr) ' ) ”

AJAX can fetch documents from the same domain (or sub-domain) only.阿贾克斯可以撷取文件来自相同网域(或子网域)只。 So if the user was on profile.myspace.com, he moved them to www.myspace.com which provides the same information but allows him to be added as a friend.因此,如果用户对profile.myspace.com ,他提出他们www.myspace.com ,其中提供相同的信息,但让他被加入成为好友。
if (location.hostname == 'profile.myspace.com') document.location = 'http://www.myspace.com' + location.pathname + location.search; 如果( location.hostname == ' profile.myspace.com ' ) document.location = ' http://www.myspace.com ' + location.pathname + location.search ;

After overcoming a trvial hash issue he adds his code and “but most of all, samy is my hero.” text to users profile.之后,克服trvial哈希的问题,他说他的代码和“ ,但最重要的是,德萨米是我的英雄” 。文本给用户的个人资料。 This causes the worm to propagate not only when users visit his site but also when they visit any of the infected users.这会导致蠕虫传播,不仅当用户访问他的网站,而且当他们访问任何受感染的用户。 Yes, simple exponential spreading.是的,简单的指数蔓延。

Samy provides德萨米提供 detailed notes and code for his exploit详细的笔记和代码,他利用 after the exploit was filtered / stopped by MySpace.后利用过滤/阻止MySpace上。

How can you protect your web application from such attacks? 你如何能保护您的Web应用程序,从这类攻击呢?
First and foremost I assume you have filtering in place like MySpace did filtering scripts and javascript tags etc. However obviously that is not enough; not even close.首先我假定你有滤波在的地方,像MySpace没有过滤脚本和JavaScript标记等,但显然是不够的;甚至不密切。
Your filtering tags should be intelligent to recognize words separated by newlines as shown above.您的过滤标签应智能承认的话分隔换如上所示。

Other users profile (or any html content) should be viewable only from a separate sub-domain.其他用户的个人资料(或任何HTML内容) ,应检视从一个单独的子网域。

Any actions like adding a link, friend, connection etc. must be done from pages which can never contains any other users code.任何行动一样,添加链接,朋友,连接等必须做的,从页面,可从来没有包含任何其他使用者守则。 If you provide a link while viewing others profile to add his as a friend then on clicking you take him to a separate page where the users gets to edit information about his friend and add him after confirmation.如果您提供了链接,而看其他配置文件,以添加他为朋友,然后点击你带他到一个单独的网页,用户得到编辑的资料,他的朋友和添加后,他确认。 This page should not contain any html content from the user being added.这个网页应该不包含任何HTML内容从用户正在补充。

In essence we need to captalize on AJAX security model which prevents code execution from different site.在本质上我们需要captalize对Ajax的安全模式,防止代码执行,从不同的网站。