Slashdot Mirror

← Back to Stories (view on slashdot.org)

LiveJournal XSS Security Challenge

Posted by CmdrTaco on from the now-thats-a-game-worth-playing dept.

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

7 of 66 comments (clear)

  1. Re:Other possible prizes: by gavri · · Score: 0, Informative

    You are not supposed to hack away on http://www.livejournal.com/

    They provide a sandbox: http://www.test.dev.livejournal.org/

  2. Re:Y'know... by shift.red.avni · · Score: 2, Informative

    They always have taken it seriously. In fact IE LJ users have been nearly invulnerable from simple (stuff that doesn't exploit IE cross-domain vulnerabilities) XSS attacks for years, because of LJ's use of HTTPONLY cookies.

    Firefox dev's have in the past explicitly ruled out supporting HTTPONLY pretty much just because Microsoft invented it. The result is Firefox users are much more vulnerable to XSS attacks that IE users.

  3. Re:Other possible prizes: by Anonymous Coward · · Score: 1, Informative

    violating the TOS for this purpose isnt criminal, as no laws are being broken.

  4. The Cross Site Scripting FAQ by Anonymous Coward · · Score: 1, Informative


    The Cross Site Scripting FAQ

  5. Re:Marketing gimmic? by makomk · · Score: 2, Informative

    This got +3 Informative? You see the words "change it to paid" in the instructions linked to by Slashdot? Notice that they're a link? If you click on those, you can change your account on the test server to a "paid" one without actually paying anything. The interface is a bit bare, but it works.

    BTW, the only reason I haven't figured out a way do something *really* nasty is that they seem to have totally disabled inline style markup on comments. (I've spotted some smaller holes, but if it wasn't for that little barrier...)

  6. Re:Y'know... by njyoder · · Score: 2, Informative

    That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).

    These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.

    Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.

    So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.

  7. Re:Personal Contact Info For LJ Hackers by hepkitten · · Score: 2, Informative

    Hello!

    It is true, I am the a+++ #1 mayor of Bantown! However Bantown is an independent citystate and not responsible for the actions of its citizens! That would be like the city of San Francisco being responsible because one of its citizens plans and carries on activities such as conspiracy and instigating riots! I am sorry that someone on the internet was mean to you! However carrying on some immature internet grudge against people and then trying to get other people in on it is a little high schoolish don't you think? Also excellent internet detection skillz! It must have taken you five whole minutes of reading encyclopediadramatica.com to figure out who was involved! Too bad flata has never been on #bantown in her life, hugs for effort tho!

    In conclusion: I am sorry I broke up with you and started dating someone else a week later. You weren't very good in bed and kind of boring to date. I am glad you are getting over it tho! This kind of therapy is really good, however it's probably better to do such things without trying to involved half the internet our 6month old breakup.

    I will refrain from posting your livejournal and contact information.

    not yours anymore,

    hep
    a++ #1 mayor of Bantown

    ps #bantown is an irc channel for discussion about a man fucking a chicken. Any activities regarding hacking, livejournal, or xss flaws are unrelated. Please stop by soon and see us to discuss chicken fucking!