Will someone please explain this

ok so facebook changed the way that their "my status" feature is set up making is so that you can get rid of that annoying "IS" that it auto puts in front of what you write. So i got the idea to put sum basic javascript into the box just to see what would happen.Example: javascript:alert("uGotHacked")

but when it would post it on the page it automatically puts a space between in the word alert Example : javascript:ale rt("uGotHacked") ive played around with it for a lil while now but cant get it to let the script be written correctly.

Im sure this is some common security measure but i would like someone to explain what is happening and is there anyway around it. thanks for any feedback guys/girls.

yea i don't think there is really a way. plus i don't use facebook so i have no idea what that is but i know with my space it would look like

markup......:alert(uGotHacked)

pm me with waht you've tried.

? like literally …..:alert

I'm sure facebook just filters certain keywords like "alert" and "script" to display with spaces and other blockades.

Good luck getting by it, you need to hit these sorts of sites when they're young.

There was a great article on a Facebook XSS Worm, let me look it up for you.

http://www.cs.virginia.edu/felt/fbook/facebook-xss-censored.pdf

^_@

i remember a while ago when myspace just had a javascript to stop the the javascript so i used firebug to delete the javascript on the page so i could post what i wanted on peoples profile. but they fixed it and i doubt that facebook has the same thing but it doesn't hurt to check the script.

yea i didnt get my hopes up about an exploit on such a big site but they just made the change and i was hoping for a miracle. but i seems that i just auto spaces 3 characters after a : symbol.

thanks guys for trying to help me. Im so glad i found this place just b4 hackthissite went down. I have a new family lol:D

fallingmidget wrote: i remember a while ago when myspace just had a javascript to stop the the javascript so i used firebug to delete the javascript on the page so i could post what i wanted on peoples profile. but they fixed it and i doubt that facebook has the same thing but it doesn't hurt to check the script.

Thanks for informing me about firebug, It's very useful :)

Good try, but Facebook will be a hard site to exploit. Least you had ago, and they probally do have filters on certain words…I don't think you will find an exploit within the status box.

Gamertag07v2 wrote: yea i didnt get my hopes up about an exploit on such a big site

XSS vulnerabilities in large sites are more common than you probably think, I mean just take a look at the top pagerank list on XSSed.com :p

I've found XSS in Yahoo, Google, NASA, AltaVista, MSN and almost a thousand other sites (including hellboundhackers.org). My point is that it's actually easier to find a vulnerability if you're searching a bigger site since there's more content.

dex_poet wrote: Just wondering in general, do you want people to know you found things? I mean if it can be related to money or hacking, we always seem to be placed on the accused side.

Well I submit XSS vulnerable sites to XSSed.com and I also help people admins to patch them. I haven't used any of those vulnerabilities for malicious purposes and therefore I wouldn't say that I've hacked them at all.

I guess some people would call it 'pro-full-disclosure whitehat-ethics' or something, but I rather call it helping people to fix their security and letting other people know how to find and remove bugs and vulnerabilities. My experience is that most admins appreciate if you help them for free.

I also help patching other stuff like for example SQL problems and File Inclusion vulnerabilities, but that's never submitted to any archives :)