It operates anywhere that you can type in the name of the company and then have the web page make the mistake of actually treating that name as code. (There are various ways that a web page developer can screw that up.)
That downloads a script that then has access to all of the data on the web page. Which is a bad thing if that page contains secrets like passwords, PINS, or personal information. If not prevented from doing so, it could send that information out.
Browsers are supposed to prevent scripts you get from one site from sending information to another. That's the "cross site scripting" part. It's not 100% effective, and yet manages to be a pain in the butt in writing some web pages. So it ends up being disabled or worked around.
To exploit it you'd need both a web page that failed to properly sanitize its inputs and a mis-configured site. It happens more than you'd like, though these days it's usually easier to just socially engineer users into telling you their passwords. This company name is pretty much just a joke rather than a serious hack, but it's demonstrating things that have been used for serious hacking.
8 comments
[ 2.4 ms ] story [ 23.9 ms ] threadthe name is something like:
which then, when used in a web page turns the relevant part into something like:That downloads a script that then has access to all of the data on the web page. Which is a bad thing if that page contains secrets like passwords, PINS, or personal information. If not prevented from doing so, it could send that information out.
Browsers are supposed to prevent scripts you get from one site from sending information to another. That's the "cross site scripting" part. It's not 100% effective, and yet manages to be a pain in the butt in writing some web pages. So it ends up being disabled or worked around.
To exploit it you'd need both a web page that failed to properly sanitize its inputs and a mis-configured site. It happens more than you'd like, though these days it's usually easier to just socially engineer users into telling you their passwords. This company name is pretty much just a joke rather than a serious hack, but it's demonstrating things that have been used for serious hacking.
I think it was semi-serious at least. Iirc, the name was loading xss-hunter.