Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site Scripting Hits Major Sites

Posted by ryuzaki0 on from the scriptdidy-doo-daa-scriptdidy-day dept.

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

2 of 161 comments (clear)

  1. The Cross Site Scripting FAQ by mrkitty · · Score: 5, Informative



    The Cross Site Scripting FAQ

    --
    Believe me, if I started murdering people, there would be none of you left.
    1. Re:The Cross Site Scripting FAQ by blowdart · · Score: 5, Informative
      No it doesn't. Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it.

      Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.