

Persistent XSS on Twitter.com - forkqueue
http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/

======
Seldaek
This has been demo'd a long time ago already [1], and it seems they haven't
done anything yet ? Wtf.

[1] [http://www.davidnaylor.co.uk/massive-twitter-cross-site-
scri...](http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-
vulnerability.html)

~~~
b3n
It was fixed, but now it's back again...

> The problem is similar to one described last August by James Slater. That
> time around the issue was with the application URL, this time it appears the
> application name is the issue.

------
jluxenberg
_"appears to be due to a lack of input validation of the application name
field"_

They should just be sure that they _render_ the application name field
appropriately. Angle brackets should be escaped, minimally. It's really not so
difficult, Ruby does it with three calls to gsub:
[http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.h...](http://rdoc.sourceforge.net/rd/doc/classes/CGI.src/M000003.html)

------
agentultra
At least this script in particular seems pretty harmless. I glossed over the
"rainbow links" code, so maybe there was something vicious in there.

Either way, XSS sucks. Surprised that they haven't plugged this one yet.

------
dirtyhand
Twitter is probably still using Rails 2.3, where you have to explicitly tell
the framework to html escape every time you're outputting a string.

Rails 3 changes this by always html escaping strings.

~~~
texec
Security shouldn't be a matter of the framework, especially if it belongs to
well known problems like XSS.

~~~
ashearer
With programmers being human, there's a lot to be said for the framework
providing a secure default. Even so, it's surprising how often this particular
mistake occurs.

------
dreeves
This seems a good time to mention interpolique:
<http://recursion.com/interpolique.html>

I'm curious what people here think of that idea, ie, preventing string
injection attacks at the language level.

------
code_duck
Twitter sure does have issues with stuff like this. I noticed a while back
that they were double encoding some strings on output, too - I had an
ampersand in my location and it was showing as &amp; on the page.

------
NathanKP
None of the code looks malicious, but I would suggest that if you have a
Twitter account and/or are logged into it, don't visit the page because he
might be stealing cookies.

