Friday, November 10, 2006

when I learned what XSS is

Here's another old Amazon history post. February, 2000- I'd had Declan for barely over a month, and I remember being outside with him, walking around our parking lot, on a rather sunny day. (It's never sunny in Seattle in February, that's why I particularly remember this.) I was the oncall frontend QA- basically, if we had to do an emergency content push to the onlines, I would be the one checkpoint. Small responsibility for a 22 year old. My pager went off, I went in, and logged into my computer, and read the problem. It linked to CERT Advisory On Malicious HTML Tags on slashdot. That was the birth of XSS.

I spent the next several hours testing pushes for every single page on the site that echoed back user input. On a site like amazon, you can imagine what that was like- I seem to recall that a lot of my time was frantically deleting pages from my pager because it kept running out of space for stored messages. Thankfully I worked with some great people, I remember farming out a lot of the testing to Jason, who was still really a newbie at that time. This is one of my starkest memories: we had the slashdot article on this open, and would reload over and over again reading the comments as more vulnerable sites were found, more exploits related to this came to light. The comments are still an interesting read today.

It took a few days for me to wrap my head around what this bug was, at the time I was just trying to test with the sample input we had, without totally following the complete theory of what we were doing. To be fair, I doubt anyone that understood that. I can talk a lot now about filtering vs escaping, why I love <plaintext>, and so on, but that day was more about survival mode. Lots of fun, though, and another insane amazon experience that I wouldn't trade for anything.

No comments: