One of the most famous examples of a cross-site scripting (XSS) vulnerability is the Myspace Samy Worm created by Samy Kamkar. In October 2005, Kamkar exploited a vulnerability on Myspace that allowed him to store a JavaScript payload on his profile. Whenever a logged-in user would visit his Myspace profile, the payload code would execute, making the viewer Kamkar’s friend on Myspace and updating the viewer’s profile to display the text “but most of all, samy is my hero.” Then the code would copy itself to the viewer’s profile and continue infecting other Myspace user pages.

Although Kamkar didn’t create the worm with malicious ...

Get Real-World Bug Hunting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.