Websites belonging to UK's national security agency, the MI5 (Millitary Intelligence, Section 5) and the World Health Organization (WHO) have been found vulnerable to cross-site scripting attacks. The weaknesses allow attackers to inject rogue IFrames, prompt JavaScript alerts or redirect visitors to other potentially malicious Web pages.

The cross-site scripting flaws were reported by a member of a group of programmers and security enthusiasts calling themselves Team Elite. Going by the online handle of [-TE-]-Neo, the grey hat hacker posted screenshots of several proof-of-concept XSS attacks against the two websites.

Cross-site scripting, or XSS, is a type of vulnerability that facilitates injecting rogue code into otherwise legit Web pages. Such flaws generally result from failure to properly validate user input into forms and can have different levels of impact, with persistent or Type 2 XSS being the most severe.

It is worth noting that, in the case of the MI5 and WHO websites, the cross-site weaknesses are non-persistent, or Type 1, and can only be exploited by opening malformed URLs. However, this does not mean that they are not dangerous.

Non-persistent XSS vulnerabilities can be used to significantly increase the credibility of phishing or malware-distribution campaigns. Instead of having to trick a user into visiting a fake page hosted on a dubious domain, the attacker can link to a vulnerable page on the legit domain directly.

The weakness in the MI5 website is located in the search form, which allows passing code as a search string. This can be used to inject a rogue IFrame into the page, which can, in turn, load more malicious code from a third-party domain via its src= attribute.

The WHO website has a very similar problem, with the search form being exploitable in the same manner. For a funny demonstration, Neo has injected an image of a flying pig into its search result page, to suggest how the World Health Organization is currently coordinating the global fight against swine flu.

According to the hacker, the administrators of both websites have been notified, but, at the time of writing this article, the MI5 site was still vulnerable.