14 DAY TRIAL // TeamHav0k provided us with proof-of-concepts to show that the official websites of the UK Air Accidents Investigation Branch (AAIB) and the Brighton and Hove City Council contain cross-site scripting (XSS) vulnerabilities that could be leveraged by hackers to execute arbitrary code and even steal data.
“Here are some more XSS's all but the "aaib.gov.uk" can be utilized for cookie stealing, claiming slaves for your XSS Tunnel or XSSF among other nasty things that can be done if you have the knowledge to properly utilize XSS that is,” the hackers said.
Besides the vulnerabilities in the sites owned by the UK government, the grey hats also identified a flaw in the official site of the state of Tocantins from Brazil.
A number of three commercial websites also turned out to contain the same types of vulnerabilities. Shopadidas.com, an official online Adidas store, dcshoes.com, a US-based company specializing in footwear for extreme sports, and spike.com, a Viacom-owned digital entertainment provider, were found to be unsecure.
Hopefully, the websites’ administrators will not ignore these vulnerabilities, especially if we consider the risks posed by these types of security holes.
TeamHav0k proved to hackers and website administrators worldwide that with a little effort sites can be patched up when they disclosed some vulnerability information to Songfacts.
The site’s owners immediately acted on fixing the weaknesses to provide their customers not only with useful information, but also with the guarantee of a safe online experience.
The hackers even provided some great tips on how the flaws can be addressed, but they also highlighted the dangers hiding behind the well-known XSS.
“If the attacker has the proper knowledge of XSS and has some Social Engineering skills he/she can then send a non-persistent pay-load to a victim which from there the attack can open up a backdoor on the victims computer taking complete control, total OS compromise,” the hackers said at the time.