[转载]The XSS security challenge

原始连接：http://community.livejournal.com/lj_dev/708313.html

Anybody bored and want a permanent account? Read on:

We're going to be running an XSS (Cross site scripting / Javascript injection) bug hunt challenge soon here. The biz people like the idea but need to squabble over rules and legal stuff. Unofficially, it'll involve giving out permanent accounts and money (or gift certificates).

So while I can't promise you jack right now in terms of money, I can give out permanent accounts like candy, so I'll announce the first round of the game:

STEP 1: Go to http://www.test.dev.livejournal.org/ . Make an account. Probably need to change it to paid so you can make styles/etc.

STEP 2: Inject some JavaScript. Use S1, S2, CSS, overrides, you name it. It'd probably help if you read the HTML and CSS cleaner code in cvs to look for bugs, but it's not required. If you want, the code is at:

cvs/livejournal/cgi-bin/cleanhtml.pl
cvs/wcmtools/lib/HTMLCleaner.pm
cvs/wcmtools/lib/CSS-Cleaner/lib/CSS/Cleaner.pm

CVS viewers are at http://cvs.danga.com/ and http://cvs.livejournal.org/ .

STEP 3: Email me (brad@danga.com) with subject containing at least "XSS-LJ", and a URL to a minimal test case illustrating your hole. I need to know how you did it, source code, maybe your test account's password, whatever it takes. The more clear it is, the more likely you win and I don't accept somebody else's later but more clear bug report first. After you find a hole, go create a new account for your next hole.

Brad's unofficial rules: I am judge, jury, and sole candy giver, at least until there are official rules. If I give you a permanent account, that doesn't mean you're not eligible for money/gift certificates later. We'll retroactively give that out for the best/hardest-to-fix/most-clever holes after the fact.

NOTE: The code running on the above URLs isn't live on the site yet. We don't care about holes at www.livejournal.com, because they're likely already fixed in the test code. The test code will go live on the site soon-ish. So reproduce (or produce) your bug reports on the test machine.

NOTE 2: The test machine above is a small virtual machine. I might not have given it enough memory. If it sucks, I'll increase it. Bear with me.