MySpace Hacked with CSRF and XSS
It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.
By the time myspace shut down their site for a few hours to investigate he had over 1 million requests from unknowing myspace members for him to be listed as their myspace friend.
Too bad back in those days they didn't have xss countermeasures like Content Security Policy headers as we do today. It would have limited the damage.
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- csrfVerifyToken does not invalidate the token - February 6, 2019
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HackMyCF Scanner Updated - February 1, 2011
- Using AntiSamy with ColdFusion - August 5, 2010
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained