What happens when you mix one of the most evil things in music with the evil that is cross-site scripting?

Let’s just say that the potential for shenanigans is endless.

Observe the result of entering the following embed tag into an editable column for one of our internal web apps.

   1: <embed src="http://www.youtube.com/v/XZ5TajZYW6Y&hl=en_US&fs=1&rel=0&autoplay=1" type="application/x-shockwave-flash" width="640" height="385" autoplay="true"></embed>.

Like a huge number of websites, this one directly displays the user-input on the screen without first scrubbing it with something like HttpUtility.HtmlEncode() (.NET world).

Want to partake in the fun?

All you have to do is find an internal website in your development environment that is vulnerable by trying to paste the embed tag into a textbox of some editable grid. If the video displays after saving, then simply send a fellow developer or tester an email asking them to go to the vulnerable page and verify some made-up bug. When they pull it up, they will be rickrolled.

Many thanks to Dan, our new tester, for catching this bug and hatching the evil plot.

Any other suggestions on fun things I can do to my co-workers before this bug gets fixed (without getting me fired)?

Popularity: 2% [?]