26 February, 2011 § Leave a comment
Some of the possible uses of this attack would be to:
- Spam the user with advertisements
- Increase visits to another website
- Spread malware
In this proof of concept, I used the following as the “color” setting for my profile:
red' onmouseout='window.open("http://www.msu.edu/~weinjare/ad.html", "", "height=220,width=450");return false;
I’ll try to explain the source code above. The HTML that is generated for the page uses single quote characters to specify attributes. Adding a single quote to the setting, appearing after the word “red”, allows arbitrary HTML to be injected within the page. The following code is treated as another attribute for the element, adding an event handler for when a mouse moves on to the element and then leaves the element.
The value of the attribute starts with a single quote and lacks an ending quote. This is because the generation of the HTML will append a single quote to the value. This will allow the generated HTML to remain valid.
To show this in action, I created the following video: