

Ask HN: How did Lulzsec inject the Javascript redirect? - wesleyzhao

After noticing that the page loads first then redirects to the Lulzsec Twitter, then after after disabling javascript the redirect stopped... I was certain it was some sort of Javascript injection.<p>Then after looking at some comments from the the following HN story (http://news.ycombinator.com/item?id=2778422) I saw that someone had posted the link to the injection script on pastebin here: http://pastebin.com/pWQtngDc<p>After reading through, I am still a little unclear on how it all works.<p>I may be a little thick, but I would love to have someone explain how the injection worked!<p>Thanks,<p>Wesley
======
devicenull
<script type="text/javascript">parent.location.href= "[http://www.new-
times.co.uk/sun/;</script>](http://www.new-times.co.uk/sun/;</script>);

That is the only important part of what you posted. It just changes the
location of the main page.

As to how they managed to get it there, no one knows. I'd imagine there is
some unescaped input somewhere in the web page that let them do it. A lot of
the Lulzsec releases seemed to start with SQL injection and go from there.

