A proof of concept code for a zero-day vulnerability for myspace.com has just emerged. This vulnerability makes use of XSS fragmentation, which is a seldom used but effective technique that can be employed against social networking sites such as myspace.com.

In XSS fragmentation, script code consists of multiple chunks, instead of a whole unit. By placing the code in fragments, they are less likely to be flagged as a security threat by automated filters or firewalls. XSS fragmentation allows an attacker to inject script code into various sections in a website. In the case of myspace, an attacker could place malicious script code in the user interests section for music and film. Of course, any devious attacker can employ social engineering to maximize the impact of this vulnerability.

Myspace.com is particularly vulnerable because it allows a large volume of user-defined content to be uploaded. Unless such volume of content can be filtered thoroughly, there is always the possibility of uploading content that contains malicious code that could be executed on the user’s system via the web browser.

Darkreading provides us with the in-depth facts of this vulnerability. A working example of this proof of concept can be seen here.