Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Hits Major Sites

Posted by ryuzaki0 on from the scriptdidy-doo-daa-scriptdidy-day dept.

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

4 of 161 comments (clear)

  1. The Cross Site Scripting FAQ by mrkitty · · Score: 5, Informative



    The Cross Site Scripting FAQ

    --
    Believe me, if I started murdering people, there would be none of you left.
    1. Re:The Cross Site Scripting FAQ by blowdart · · Score: 5, Informative
      No it doesn't. Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it.

      Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.

    2. Re:The Cross Site Scripting FAQ by blowdart · · Score: 3, Informative

      I was talking generically; anyway the redirect is not an XSS attack at all.

  2. Re:I don't get XSS by Yvanhoe · · Score: 3, Informative

    That's it. They allow users in forum to post links, and URL. URL can have a lot of strange characters in it, & ? ! # etc... Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code, usually in order to steal cookies (therefore, an opened session) of the user watching the post. There seems to be a shield vs sword thing growing between attackers and web developers. You have numerous ways of "hiding" a code in an URL, hexadecimal notation, strange utf-8 characters and so on. Here again, an incomplete implementation of a standard is the cause of major headaches.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.