I've had a lot of fun over the past few years detecting and fixing XSS attacks - a few months ago compromising several thousand user-accounts belonging to a particular niche social networking site and then more recently experimenting with XSS issues upon a popular software developer's advocate blog.
One thing I've been wondering about recently is meta-XSS attacks.
Consider the LKML (linux kernel mailing list). This list receives lots of long patches, submitted by email, which are copied verbatum to various sites. For example if I mailed an interesting patch to LKML chances are it would get posted to:
(Obviously the challenge here is to make a patch sufficiently interesting that it received more than usual coverage.)
Do each of those sites HTML-encode patches? In general they do, certainly the ones I looked at had code like this:
#include <linux.h> ... ...
But I'm certain that not all sites do so. I'm also pretty sure there are interesting avenues to explore here, and the general idea of indirectly attacking a specific target is ripe for exploration.
Anyway I'm probably not the person to go playing in the field these days; I don't have the time. But it is certainly interesting to think about.
ObFilm: Dirty Harry