I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I am making my research and notes available in to a series of blog posts. The second – history of cross site scripting.
Samy released a statement explaining what happened along with time frames, screenshots, and his code:
“I’m sorry MySpace and FOX. I love you guys, all the great things MySpace provides, and all the great shows FOX has, my favorite being Nip/Tuck. Oh wait, Nip/Tuck is FX? My bad, but FOX, I’m sure you still have some good stuff. But maybe you should start picking up Nip/Tuck reruns? Just a thought. I’m kidding! Please don’t sue me.”
Fox, realizing Samy was not acting maliciously, didn’t prusue a case. But, the FBI did. Samy was arrested and pled guilty. He entered a plea agreement on January 31, 2007 to a felony charge resulting in three years probation, 90 days community service, and an undisclosed amount of restitution.
This is the fastest spreading worm in history. Before this, you had infections of hundreds of thousands of machines in 24 hours – but never more than a million.
Today, XSS is at the top of OWASP’s top 10 application security risks list. It was number one in the last version, and is currently number two.