Коментарі для запису: Уразливість на ebay.com http://websecurity.com.ua/2348/ Mon, 20 Apr 2026 09:17:06 +0000 http://wordpress.org/?v=MustLive Edition від: MustLive http://websecurity.com.ua/2348/#comment-265805 Sun, 22 Feb 2009 21:55:05 +0000 http://websecurity.com.ua/2348/#comment-265805 <strong>Jackson</strong> Thank's for information. Encoded with base64 XSS code also belongs to this type of XSS which I called Encrypted XSS. All encrypted (with any ecryption) XSS holes belong to it. In this case, as you see, it's not base64, but eBay's own encryption algorithm. Yes, this type of XSS can be used to bypass server-side and client-side firewalls, which block XSS attacks, like NoScript. Hole at Yahoo! is nice. It's not first base64 encrypted XSS - there was such one at MySpace, which was disclosed in 2007 in project <a href="/878/" rel="nofollow">Month of MySpace Bugs</a>. But only after I found this XSS at eBay in 26.11.2007, I created this new type of XSS (as a part of my Classification of Cross-Site Scripting). And so I called this hole first Encrypted XSS (and it's first with such encryption). Jackson

Thank’s for information. Encoded with base64 XSS code also belongs to this type of XSS which I called Encrypted XSS. All encrypted (with any ecryption) XSS holes belong to it. In this case, as you see, it’s not base64, but eBay’s own encryption algorithm.

Yes, this type of XSS can be used to bypass server-side and client-side firewalls, which block XSS attacks, like NoScript.

Hole at Yahoo! is nice. It’s not first base64 encrypted XSS - there was such one at MySpace, which was disclosed in 2007 in project Month of MySpace Bugs. But only after I found this XSS at eBay in 26.11.2007, I created this new type of XSS (as a part of my Classification of Cross-Site Scripting). And so I called this hole first Encrypted XSS (and it’s first with such encryption).

]]> від: Jackson http://websecurity.com.ua/2348/#comment-264706 Wed, 18 Feb 2009 04:07:00 +0000 http://websecurity.com.ua/2348/#comment-264706 Hi MustLive! Yahoo! (at least) once got this kind of encoded XSS. http://bbs.cn.yahoo.com/searchApplyBoard/PHNjcmlwdD5hbGVydCgiWFNTLWJ5cGFzcy1Oby1TY3JpcHQiKTwvc2NyaXB0Pg==.html The XSS is encoded with base64(). This XSS was once bypassed No-Script protection too :D You can see Maone's comment here : http://zoiz.web.id/xss-corner/base64-encoded-xss.html Hi MustLive!

Yahoo! (at least) once got this kind of encoded XSS.

http://bbs.cn.yahoo.com/searchApplyBoard/PHNjcmlwdD5hbGVydCgiWFNTLWJ5cGFzcy1Oby1TY3JpcHQiKTwvc2NyaXB0Pg==.html

The XSS is encoded with base64(). This XSS was once bypassed No-Script protection too :D

You can see Maone’s comment here :

http://zoiz.web.id/xss-corner/base64-encoded-xss.html

]]>