Cross-site exploit

Wednesday, January 27, 2010 at 9:33 AM


I just went to http://groups.bodybuilding.com and changed the base64 encoded callback string they use to display the content to be unencoded and added whatever website I wanted. I happened to chose linkedin because it's harmless. The harm comes in when you put something melicious and embedded in another innocent website.

The fun is when you can put in GNC into the bodybuilding.com. It just seems so wrong:

0 comments