“Introduction to Web Security”

Yesterday I made a post about a CSE seminar I attended on Wednesday. Well, yesterday I attended another CSE seminar, again, given by Dr. Yinzhi Cao. His seminar yesterday was on the topic of web security. He introduced many web threats and how they are executed over internet browsers and servers. It was a very broad, high-level description of the numerous threats and he explained them very clearly. Anyone with minimal computer science background could appreciate the information. As I said in my previous post, I am very interested in security and Dr. Cao’s seminars were highly informative and I learned a lot from them.

One cool web security threat example he gave was one for XSS (cross-site scripting) attacks. He broke down and showed how a hacker wrote an XSS worm that crashed MySpace many years ago. It was called the Samy Worm, written by Samy Kamkar. It was very clever. He wanted to embed his Javascript worm into his homepage, but MySpace prohibited the use of “script” tags, “a href=””” tags, and many others that made it seem to many that the system was secure. However, Samy realized he could embed his javascript into a CSS (cascading style sheet) tag, but there was one more hurdle. MySpace stripped the word “javascript” from all text which would be needed to execute the code. Regardless, Samy was able to separate javascript into two line: “java\nscript” and Internet Explorer did not recognize, or read, this as javascript. Finally, this allowed his worm to run.

His worm forcibly made people add Samy as a friend, and the worm then injected itself into the visitor’s profile making it self-propagating (the first of its kind). Within 24 hours, Samy had over 1 million friends and had crashed MySpace. MySpace said his intentions were malicious, but it’s pretty funny and clever if you ask me.

Here’s an article about the story back in 2005: http://betanews.com/2005/10/13/cross-site-scripting-worm-hits-myspace/

Here is a picture I took while at the seminar of Dr. Cao giving his seminar.


About luryan15

I am a senior Computer Science major at Lehigh University.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s