XSS Worm : Cross Site Scripting & Web 2.0 Security

Cross-Site Scripting Worm Hits MySpace | Betanews
The worm has piqued the interest of a number of security professionals who say XSS is a major problem that many companies overlook. Yep, Orkut, Google’s Social Network, was hit by a XSS worm, the source of which you will be able to find at the bottom of this post: hot lesbian
A self-propagating cross-site scripting (XSS) worm affected a million profiles on Myspace.com earlier this month, and security experts are concerned this Diminutive XSS Worm Replication Contest ha.ckers.org web .The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS . Abstract: This paper is the product of a week long contest to write the most diminutive self replicating XSS worm. This was a controversial .GaiaOnline is a highly popular web based game, a perfect target for an XSS worm. Exactly what Kyran sets out to do, with a little help from
He has set up a contest to see who can write a self-propagating cross-site scripting (XSS) worm using the fewest number of characters.

Problems with the use of asymmetrical algorithms without an additionalinfrastructure can be divided into four areas. These are described in the following.
Authenticity of the key
Alice would like to send an encrypted e-mail to Bob. To do so she uses Bob’s public key (see Sections 6.4 and 6.7). If the villain, Mallory, palms off Alice’s own key as Bob’s without her noticing, then he can decrypt the mail himself.
Mallory has several ways of carrying out this kind of attack. If Bob sends Alice his public key over the Net, Mallory can intercept it and replace it with his own (man-in-the-middle attack). He can also do this if Alice downloads Bob’s key from a server. In addition, Mallory can try to distribute his own key on the Net under the pretence that it is Bob’s.
The problems arise because there is nothing about a public key that indicates to whom it belongs.
Revoking keys
Mallory has stolen Alice’s private key from her hard disk. This means that he can use it to read all messages that were encrypted with the associated public key. In addition, using Alice’s private key he can forge her digital signature. Fortunately Alice has noticed the theft. She immediately generates a new key pair and does not continue using the old private key (this is called revocation of the old key). But
how can these with whom she is communicating know that Alice’s old key has been
revoked?
The problem is that one cannot tell from a public key whether it has been
revoked or not.
Non-repudiation
The purpose of a digital signature is to ensure non-repudiation. This means that Alice cannot contest her completed signature in retrospect. When all is said and done, a digital signature is an excellent way of meeting this requirement. If Alice keeps her private key secret (which is in her own interests), then no one else can imitate it. However, Alice does have one way to contest a signature: she simply claims that the key used in the transformation of the signature was not hers. The problem here is that there is no way of proving that a particular key belongs to Alice.
Enforcement of a policy Crypt & Co. is surprised at the advantages that asymmetrical cryptography offers. It
wants to introduce a key pair for each employee, with which the employee can encrypt and sign. This requires the following:
• Each employee should have only one key pair, not several.
• All public keys should be centrally registered.
• Each employee must use a key of adequate length.

Quantum cryptography is one of the branches of cryptography that are not dealt
with in this book. Quantum cryptography makes it possible to transmit a key using
quanta of polarised light. Because, according to the laws of physics, the
polarisation of light quanta cannot be measured without it being changed, Mallory
cannot intercept the key without being detected. Quantum cryptography therefore

provides a demonstrably secure exchange of keys – it’s just a pity that it is not yet used in practice.
Asymmetrical algorithms such as RSA, Diffie–Hellman and DSA have
revolutionised cryptography, but in themselves they are no guarantee of a carefree
crypto life. This is due to the fact that the practical application of asymmetrical
algorithms is full of pitfalls that can only be avoided by constructing a suitable
infrastructure. Such a structure is termed a public key infrastructure (PKI). The
building of public key infrastructures is currently the most important subject in
cryptography, especially in connection with the Internet and mobile phones. For
this reason, I have dedicated a whole chapter of this book to the topic of PKI.

In order to understand how a PKI works, and why one is needed, a little preparatory
work is in order. To begin, we shall deal with the most important problems arising
from the use of asymmetrical algorithms without an additional infrastructure. Then
we shall look at three ways in which these problems can be solved.