Michael Gracie » XSS

Google search box opens up XSS vulnerability

Michael Gracie — Wed, 29 Nov 2006 16:30:04 +0000

Couldn’t think of a sarcastic title for this post, and I don’t think it makes a heck of a lot of difference anyway – it’s just news, and not much to worry about. The Google Search Appliance, that box companies throw on the rack to help them weed through data on their own networks, opens up a cross-site scripting vulnerability that can allow phishers to promote their own scams.

Google has already issued a fix, and if the organizations using the system don’t want to pay attention, it becomes their problem alone.

©2004-10 Michael Gracie - Technology, Finance, Fly-Fishing, and vain attempts to merge the three. Use of this feed is for personal non-commercial use only - any and all other uses may be subject to court-ordered asylum commitment.

Cross-site scripting goes primetime

Michael Gracie — Mon, 25 Sep 2006 16:40:05 +0000

Cross-site scripting attacks are hitting major websites, including MySpace, YouTube, and even venerable oldies like MSN, Dell, and Apple.

XSS attacks were long a tool of cute little script kiddies who malformed sites for the joy of their cute little friends. As a result, some still question how big the threat really is.

Just when you get complacent, someone is going to figure out how to make money from a vulnerability. Then shit hits the fan, and a bunch of overpriced consultants run in to save the day while someone’s multi-million a year ecommerce site flails, frames displaying Winnie-the-Pooh notwithstanding.

XSS, welcome to the corporate world.

The Script Kiddie Cookbook

Michael Gracie — Tue, 15 Aug 2006 13:42:32 +0000

When a script kiddie injects a chunk of javascript or a frame into a website, it generally gets fixed pretty quickly and everyone laughs about it. Maybe developers should think twice – those XSS exploits can cause a lot of harm, as detailed here.

I just got though jumping through hoops, getting special characters stripped from forms galore in an app. It was a pain in the butt, and the whole time I was thinking “who cares” if someone sticks a random reference to some other site, or a smiley faced pop-up. I did the work anyway, but I certainly won’t be shrugging off the risks anymore.

***UPDATE***

Brian Krebs has uncovered a few big sites that are affected by XSS. The NSA? Heh.