Cross-Site Scripting Network

Blogs are highly linked and implicit trust accumulates at each blog up over time.  Many windows of vulnerability exists in blogosphere and many more are being opened everyday though unsafe cross-site script sharing, holes in scripts that run blogs, wreckless copy-and-paste practices (what you see might not be all that you copied), etc.  Net result is a growing field of dominos waiting for smart hackers to take advantage of.

Here is an example.  Some websites, popular among bloggers, encourage bloggers to add some HTML fragments into their blogs that looks like this:


This is, in fact, committing cross-site scripting (XSS) voluntarily.  Even worse, because typically offers some useful service, a cross-site scripting network is created around, turning into a very attractive target for hackers.

Once is penetrated and bar.js replaced with some hostile script, hackers can not only steal cookies but hack all the pages served by spoke sites.  How bad can it get?  Hackers can search links to well known sites like Paypal in all the pages that loads the hacker's script file and replace them with links to phishing sites.  Even worse, hackers could drop in zero-day exploits into thousands of blogs within minutes.


I had to replace the HTML fragment above with an image to prevent the tags from being inadvertently pasted into other blogs.  With all the escaping, unescaping, copying, and pasting in blog softwares out there, I can't take a chance.