Update: You may also want to look at:更新:您可能也想要看看: MySpace Hack: How To View Any Users Private Videos myspace哈克:如何看待任何用戶的私人影片 .

Recently最近 Samy德薩米 [samy at namb dot la] released a worm ["Samy worm" or "JS.Spacehero worm"] in MySpace, popular social networking platform like Friendster, which caused him to be added as hero to millions of MySpace users (”but most of all, samy is my hero.”) as well as add him as their friend, all without their explicit permission. [德薩米在北美傳道部斑點香格里拉]發布了一個蠕蟲[ “德薩米蠕蟲”或“ js.spacehero蠕蟲” ]在MySpace上,流行的社交網絡平台一樣,和Friendster ,這使他增加一條,作為英雄,數以百萬計的MySpace上的用戶( “但最所有,德薩米是我的英雄“ ) ,以及添加他為他們的朋友,都沒有他們的明確許可。

After flooding the Network, MySpace stepped in and fixed the hole.水浸後,網絡,在MySpace上加強和固定孔。 Samy is still “hero” to millions of MySpace users in their profile.德薩米仍是“英雄” ,數以百萬計的MySpace上的用戶在他們的個人資料。

The purpose of this article is to highlight the security issues exposed by this worm.本文的目的是要強調安全問題所暴露出來的這種蠕蟲病毒。 It is definitely not limited to MySpace alone and the worm propagated not due to MySpace’s fault but fault of browser like Internet Explorer.這絕對不是僅限於MySpace上單獨和蠕蟲病毒傳播並不是因為MySpace上的故障,但故障的瀏覽器如Internet Explorer 。 And the flaw is waiting to be exploited in several other web applications of similar nature like Ryze or LinkedIn etc..和缺陷是等待被剝削,在其他幾個Web應用程序類似性質的一樣, ryze或LinkedIn的等。 In the remainder of this article I will summarize the modus-operandi of his script and suggest on ways to protect your web application against such attacks.在本文的其餘部分,我會總結的手法-的運作,他的腳本,並建議就如何保障您的Web應用程序對此類攻擊。

Samy used AJAX to add himself as a friend and hero when users visited his page.德薩米使用Ajax的添加自己作為一個朋友和英雄,當用戶訪問其網頁。 This requires Javascript to be executed in the browser which does the dirty work.這需要JavaScript來執行,在瀏覽器是否骯髒的工作。

MySpace dutifully eliminates javascript from users html (which becomes their profile). MySpace上盡職盡責地消除了用戶的JavaScript的HTML (即成為他們的個人資料) 。 However Sammy disguised the word javascript with an embedded newline - “java\nscript”.但薩米變相字的JavaScript與嵌入式換行符-“華\ n script” 。

MySpace doesn’t allow script tags. MySpace上是不容許的腳本標記。 So he embedded his javascript in CSS - style=”background:url(’javascript:eval(document.all.mycode.expr)’)”因此,他嵌入式他的JavaScript在CSS -作風= “背景:網址( '的J avaScript: e val( d ocument.all.mycode.expr) ' ) ”

AJAX can fetch documents from the same domain (or sub-domain) only.阿賈克斯可以擷取文件來自相同網域(或子網域)只。 So if the user was on profile.myspace.com, he moved them to www.myspace.com which provides the same information but allows him to be added as a friend.因此,如果用戶對profile.myspace.com ,他提出他們www.myspace.com ,其中提供相同的信息,但讓他被加入成為好友。
if (location.hostname == 'profile.myspace.com') document.location = 'http://www.myspace.com' + location.pathname + location.search; 如果( location.hostname == ' profile.myspace.com ' ) document.location = ' http://www.myspace.com ' + location.pathname + location.search ;

After overcoming a trvial hash issue he adds his code and “but most of all, samy is my hero.” text to users profile.之後,克服trvial哈希的問題,他說他的代碼和“ ,但最重要的是,德薩米是我的英雄” 。文本給用戶的個人資料。 This causes the worm to propagate not only when users visit his site but also when they visit any of the infected users.這會導致蠕蟲傳播,不僅當用戶訪問他的網站,而且當他們訪問任何受感染的用戶。 Yes, simple exponential spreading.是的,簡單的指數蔓延。

Samy provides德薩米提供 detailed notes and code for his exploit詳細的筆記和代碼,他利用 after the exploit was filtered / stopped by MySpace.後利用過濾/阻止MySpace上。

How can you protect your web application from such attacks? 你如何能保護您的Web應用程序,從這類攻擊呢?
First and foremost I assume you have filtering in place like MySpace did filtering scripts and javascript tags etc. However obviously that is not enough; not even close.首先我假定你有濾波在的地方,像MySpace沒有過濾腳本和JavaScript標記等,但顯然是不夠的;甚至不密切。
Your filtering tags should be intelligent to recognize words separated by newlines as shown above.您的過濾標籤應智能承認的話分隔換如上所示。

Other users profile (or any html content) should be viewable only from a separate sub-domain.其他用戶的個人資料(或任何HTML內容) ,應檢視從一個單獨的子網域。

Any actions like adding a link, friend, connection etc. must be done from pages which can never contains any other users code.任何行動一樣,添加鏈接,朋友,連接等必須做的,從頁面,可從來沒有包含任何其他使用者守則。 If you provide a link while viewing others profile to add his as a friend then on clicking you take him to a separate page where the users gets to edit information about his friend and add him after confirmation.如果您提供了鏈接,而看其他配置文件,以添加他為朋友,然後點擊你帶他到一個單獨的網頁,用戶得到編輯的資料,他的朋友和添加後,他確認。 This page should not contain any html content from the user being added.這個網頁應該不包含任何HTML內容從用戶正在補充。

In essence we need to captalize on AJAX security model which prevents code execution from different site.在本質上我們需要captalize對Ajax的安全模式,防止代碼執行,從不同的網站。