This isn't the source of it. I came across this on Twitter last night and traced it back a bit to try to share "the original" with my colleagues. The earliest I found was https://x.com/cloud11665/status/1799136093071163396 which I think is slightly earlier than the second commit on this repo.
Honestly, I doubt the author is playing the “deep game” of looking like they’re just messing around while secretly being a secret agent and (for some fathomless reason) making it look like it with an artificial git history.
So in general, yes, but in this case, I doubt it. I’m pretty sure this git history is a real and true log of them dicking about trying to get the exploit they saw on twitter working.
To understand monads, imagine you're in the middle of an infinite ocean. The ocean represents possibilities, and each wave represents a choice. Monads are invisible fish that you can't see but guide your boat. You don't know where you're going, and the fish don't either. Sometimes, they lead you to islands of coconuts, but other times they take you to whirlpools. You have a magical net that catches these fish, but the net has holes, so not all fish stay. Monads are these fish that might or might not help you navigate the infinite ocean, depending on whether they feel like it.
I don't get this. It shows some mangled text that looks like defaced CSS, accompanied by the error message “Extra open brace or missing close brace”. How is this content injection?
Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can't say I remember any news of a "website/service totally taken over due to XSS."
Powerful XSS vulnerabilities are found all the time, but they usually doesn't break the news because they aren't wormed. Samy was a worm, spreading from user to user exponentially, hence it being a very loud attack with news about it.
XSS tends to be the first step in a chain of exploits. There are examples of using it for account takeovers, but XSS being the first step, usually means it doesn't get called out directly. The particular chain sequence gets a name, and that is what gets put out in media responses.
Yes, finding some PoC for account takeover or something that involves XSS is cool and whatnot, but I'm asking whether these theoretical chain of exploits have ever actually been documented as being exploited to a significant degree.
You have to look a little further back into mid-2000s to see larger impact XSS attacks, but each FAANG has had to recover from them. I'm on mobile right now but I'll look for some examples later.
What most companies realize early on is that you can't guarantee you'll prevent an XSS from slipping through. But, having a good template engine that sanitizes all strings automatically is good enough preventative measure, and putting all user-submitted content on a different subdomain or domain (like usercontent[dot]company[dot]com) with browser same-origin policy and perhaps CORS rules, will be enough to keep the impact contained. From there, just about everything else can be categorized as user error.
I'd say a strict Content Security Policy (at least script-src 'self' WITHOUT unsafe directives) is even more important to keep the impact contained, so you'd have to put your scripts into separate files - as opposed to using inline scripts. It obviously won't help against "HTML injection" in general, but will shield your users from malicious scripts as long as you make sure that an attacker can't just upload scripts on the permitted origin(s).
It’s pretty infrequent outside of target attacks. Most recent is probably the roundcube XSS CVE-2023-43770 that was actively exploited as 0day by a threat actor last year.
Funny at first, but this could have been exploited maliciously by let's displaying a message telling the user he has been disconnected and redirecting him to a phishing page.
If this was purely a CSS injection—as I understand it was—then I don't think it would be possible to redirect on any technical level the user anywhere (e.g. by providing a link).
But telling user to do something would still be on the table.
