Home

XSS, the new internet plague?

Submitted by xqus on Mon, 02/19/2007 - 16:39

I'm obsessed with XSS, I can't help it. Whenever I stumble upon a new site I test it for common XSS attacks.
The real scary thing here is that most sites are in fact vulnerable. Usually I send the webmaster an e-mail, and I get a thank you wery much back.

Some weeks ago while trying to log in to my online bank, I entered the wrong account number and an error message was returned. I noticed that the account number i entered the first time was used as the field value on the new login screen. I couldn't help it, and tried with one of the most common XSS payloads: ">.
It worked, one of the largest banks in Norway, vulnerable to a XSS attack in the login screen.
I contacted the bank, telling them that i found a security hole. The next day some dude called and told me he should send my e-mail to the security team.

It has been 4 weeks and they haven't contacted me yet. So I guess my next step will to publish what i found on my company website. I don't like it considering the way to many back hats out there.

Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><pre><blockquote>
  • Lines and paragraphs break automatically.
  • Insert Flickr images: [flickr-photo:id=230452326,size=s] or [flickr-photoset:id=72157594262419167,size=m].

More information about formatting options

del.icio.us bookmarks

saved by 2 other people

RSS, XHTML, CSS

Drupal Themes Design by SEOposition.com