Post
by DanLanglois » Thu Mar 28, 2013 11:22 am
I note, that hackers usually have more experience than the web developers.
The problem with the URL, is it leaves the entered variables in the URL address. This is via some form of user input.
Then, the exploit, is attacking a javascript event handler. Allowing users to post javascript code. It's not that complex an attack at all either - rather embarrassing for Twitter that they were caught out by this.
And, you can write anything to the page, including closing the link and including a script element. Also, you are not limited by the 140 character limit.
To fix it, well, what is the relevant page source, I mean this parameter gets set, how? A form? Is there a form on the page. A form can be a post and not a get request. I'm not positive what will satisfy, but they don't like the get request, you can eliminate the get request. Let's put this in context, search spiders will follow every link on your website, but will not submit random forms they find.
And, web accelerators are worse than search spiders, because they run on the client’s machine, and "click" all links in the context of the logged in user. Thus, an application that uses a GET request to delete stuff, even if it requires an administrator, will happily obey the orders of the (non-malicious!) web accelerator and delete everything it sees.