RETURN $ecure;

Security, Technology and Life

Posts Tagged ‘Search

Snap’s shots execute Javascript?

with 3 comments

While checking out the new Themes and Widgets on these WordPress.com blogs, I noticed they had implemented Snap Preview. Snap is a fairly promising search engine, that has the feature of Javascript based link previews on any page.

These ‘Snap’shots are presumably identical to the ones the search engine itself uses.

(It allows for previewing of search results for ease of use)

Now, this is all fairly harmless and seemingly pointless, except that it seems they not only use a Gecko-based browser,(probably Firefox) to spider(or at the least, take their snapshots) sites.

Take a look at this screenshot of a MySpace page with an older persistant XSS on it.

MyXSS

As you can see, there is an Alert() in the Snap Preview.

I knew Google indexes XSS, but actually running the JS seems like bad practice…

Advertisements

Written by Rodney G

01/15/2007 at 5:40 pm

Posted in Uncategorized

Tagged with ,