|
Home > News > Tags > cross-site scripting
|
|
30
Stories about: cross-site scripting |
|
|
Microsoft is cooking the next iteration of the Anti-Cross Site Scripting Library, promising that the first Community Technology Preview will be made available soon. No definitive availability date was made public at the time of this article, but Anil Revuru, Senior SDE, Information Security Tools team, did share some... |
19 October 2009
04:19 GMT |
 |
|
Preview builds of Firefox 3.7 are now available for download, offering the first fruits of Mozilla’s efforts to bulletproof systems against cross-site scripting related attacks. At the end of the past month, Brandon Sterne, Mozilla security program manager, revealed that the work necessary to turn the Content S... |
5 October 2009
10:07 GMT |
|
|
Reddit was hit yesterday by an out of control XSS worm, which someone launched as a proof of concept. The website administrators moved swiftly to stop the attack and inform the public, thus earning the appreciation of the security community.Reddit is a social news and social bookmarking website that allows users to p... |
29 September 2009
05:44 GMT |
|
|
Users of the LiveJournal blogging platform were the target of a malicious attack on Tuesday, when a social networking worm that spread by simply viewing an infected post was released on the website. The malware stole email addresses and made private blog entries accessible to everyone. The LiveJournal staff has post... |
24 September 2009
09:42 GMT |
|
|
RBS WorldPay is currently banging heads with a grey hat hacker over the seriousness of SQL injection vulnerabilities that he discovered on its websites. Meanwhile, another web developer exposed a cross-site scripting weakness in a site belonging to the company in order to prove that its efforts to mitigate XSS are no... |
12 September 2009
04:26 GMT |
|
|
A Web security researcher going by the only handle "theharmonyguy" continued to probe popular Facebook applications for vulnerabilities as part of an initiative called "Month of Facebook Bugs." LiveSocial, Movies, Farm Town and RockYou Live were all found to suffer from cross-site scripting weaknesses. As we previou... |
7 September 2009
08:02 GMT |
|
|
After a critical Twitter cross-site scripting vulnerability was recently discovered and reported on, the website's security team rushed to address it. Subsequent scrutiny of the patch exposed it as being a seriously inadequate fix that can be circumvented with ease to continue injecting malicious code into tweet... |
27 August 2009
03:56 GMT |
|
|
A blogger trying to bypass Twitter's new nofollow policy for oauth client application links stumbled upon a massive persistent cross-site scripting (XSS) vulnerability, which allowed him to insert potentially malicious JavaScript code into a tweet. The vulnerability could have been leveraged to steal session coo... |
26 August 2009
04:46 GMT |
|
|
Security researchers warn that a new worm has been spotted on Chinese social networking website Renren.com. The worm masquerades a flash music video of Pink Floyd's Wish You Were Here and spreads by exploiting a cross-site scripting hole.The message has the title "Pink Floyd – Wish You Were Here" and it co... |
25 August 2009
07:29 GMT |
|
|
Adobe Inc. published on the 17th of August 2009 several security fixes for the ColdFusion web design and development platform and also for the web servlet engine JRun. The updates were labeled as critical and resolved several cross-site scripting vulnerabilities that could have compromised and exposed account informa... |
18 August 2009
06:32 GMT |
|
|
Websites belonging to UK's national security agency, the MI5 (Millitary Intelligence, Section 5) and the World Health Organization (WHO) have been found vulnerable to cross-site scripting attacks. The weaknesses allow attackers to inject rogue IFrames, prompt JavaScript alerts or redirect visitors to other poten... |
22 July 2009
07:33 GMT |
|
|
Security engineers from Mozilla want to tackle cross-site scripting attacks with a new technology they call the Content Security Policy (CSP). This new specification would allow websites to set directives that enforce certain restrictions over what content the CSP-aware browsers trust. Cross-site scripting, also kno... |
24 June 2009
07:50 GMT |
|
|
Strong Webmail, a webmail service featuring enhanced security, has recently challenged hackers to break into its CEO's e-mail account in order to win $10,000. It took a team of well-known security researchers under two weeks to succeed, through cross-site scripting. The hacking contest is part of a marketing ca... |
5 June 2009
06:15 GMT |
|
|
Self-confessed ethical hacking outfit Team Elite has recently reported cross-site scripting (XSS) weaknesses in not one, but four different Visa websites. All of the vulnerabilities allowed attackers to prompt arbitrary JavaScript alerts. The XSS vulnerabilities were reported by a grey-hat hacker calling himself Met... |
27 May 2009
08:17 GMT |
|
|
A cross-site scripting vulnerability discovered in the website of RBS WorldPay allows attackers to launch efficient phishing attacks against customers. The same flaw can also be exploited to serve malware or prompt rogue alerts. The XSS weakness has been discovered and documented by a Team Elite member, going by the... |
23 May 2009
06:22 GMT |
|
|
Cross-site scripting weaknesses have been discovered in two websites belonging to the Bank of America and U.S. Bank. The flaws facilitate potential phishing attacks, because they allow attackers to inject IFrames, hijack sessions, or prompt arbitrary alerts. Cross-site scripting, more commonly known as XSS, is a cla... |
21 May 2009
04:16 GMT |
|
|
A grey-hat hacker going by the online handle of Vektor has disclosed several cross-site scripting vulnerabilities in several pages of the IFPI website. According to the report, Sage Pay, the payment service provider used by the IFPI and many other websites, is actually responsible for some of the flaws. Vektor is a ... |
18 May 2009
06:10 GMT |
|
|
Vulnerable Flash files, which facilitate cross-site scripting attacks, still affect hundreds of thousands of websites today. Adobe's own Web page has been recently found vulnerable, even though this flaw was discovered and reported back in December 2007. Dimitris Pagkalos, co-founder of the XSSed project, warns... |
14 May 2009
04:30 GMT |
|
|
Dangerous cross-site scripting vulnerabilities have been discovered in several PayPal websites, potentially facilitating phishing and other attacks. One of the proof-of-concept attacks demonstrates how an arbitrary IFrame can be injected into the PayPal merchant account registration form, over SSL. The vulnerabiliti... |
13 May 2009
06:11 GMT |
|
|
A self-confessed web security researcher going by the online handle "Inferno" has published details of a serious XSS vulnerability in Google’s Support Python Script, which could have facilitated a wide variety of attacks, including session hijacking. Because of the widespread use of the vulnerable script on Goo... |
13 May 2009
04:18 GMT |
|
|
Websites belonging to no less than six antivirus vendors have been found to suffer from cross-site scripting weaknesses that could facilitate phishing attacks. Most of these companies were faced with similar flaws affecting their online resources in the past. A grey-hat hacker, going by the name of Methodman, who se... |
11 May 2009
06:26 GMT |
|
|
Vektor, the hacker who played a joke on the Motion Pictures Association of America (MPAA) earlier this week by listing The Pirate Bay torrents on its own website via an XSS flaw, has disclosed that the Recording Industry Association of America (RIAA) suffers from a similar weakness. Additionally, more MPAA-controlled... |
6 May 2009
06:12 GMT |
|
|
A self-confessed white-hat hacker has published proof-of-concept attacks against websites connected to global IT security vendor McAfee. XSS vulnerabilities allow for an IFrame injection and rogue redirection. Methodman, a member of the Team Elite programming outfit, has published screenshots of the flaws he found i... |
4 May 2009
05:54 GMT |
|
|
A white-hat hacker going by the nickname of Vektor has located several cross-site scripting vulnerabilities in the website of the Motion Picture Association of America (MPAA). In order to prove the existence of the flaws in a humorous manner, he decided to inject a "Thank you" page with a rogue IFrame, which loads th... |
4 May 2009
04:35 GMT |
|
|
Websites belonging to Symantec and Kaspersky Labs, two of the biggest global providers of security solutions, have been found to be vulnerable to cross-site scripting attacks. Ill-intent individuals could have exploited the flaws to steal authentication cookies or inject rogue IFrames and other potentially malicious ... |
16 April 2009
07:08 GMT |
|
|
Late on Saturday and Monday, the increasingly popular micro-blogging platform Twitter faced the e-wrath of Mikeyy again. A new worm released by the teenager affected its users, who unwillingly began to post new rogue messages on their profiles. During this past weekend, the Twitter staff fought a cat-and-mouse game ... |
14 April 2009
06:39 GMT |
|
|
Several sustained attacks against Twitter users have created quite a stir on the micro-blogging platform, over the weekend. The incidents caused logged-in Twitters who were visiting compromised profiles to automatically propagate the worm by posting unauthorized messages. The first attacks hit during the early hours... |
13 April 2009
08:14 GMT |
|
|
ScanSafe, a global provider of SaaS Web security, has announced that the official website of multiple Grammy Award-winning artist Paul McCartney has been compromised by hackers. The cybercrooks injected a malicious hidden IFrame into the pages, which was serving multiple exploits. The incident took place shortly bef... |
9 April 2009
08:59 GMT |
|
|
Two security researchers have discovered a serious XSS weakness affecting the popular micro-blogging platform Twitter. By clicking on a hidden, maliciously crafted link, users can be forced to post messages without their knowledge. Lance James and Eric Wastl, security researchers for Secure Sciences Corporation, hav... |
20 March 2009
07:33 GMT |
|
|
In keeping with a recent trend of vulnerability disclosures affecting the websites of antivirus vendors, AVG Technologies has just joined the list with an active XSS flaw that can be used to insert content in a page on its website. The cross site scripting flaw was discovered by a user going by the handle of "CrueLC... |
11 March 2009
05:02 GMT |
|
|
The hackers' assault on security vendors' websites continues with ESET, developer of the popular NOD32 antivirus solution. Multiple websites controlled by the company are vulnerable to cross-site scripting and SQL injection. A hacker calling himself Methodman has published proof-of-concept attacks against ... |
28 February 2009
06:31 GMT |
|
|
A cross-site scripting flaw affecting the Intel Product Security Center website has been disclosed. Successful exploitation allows for rogue iframe injection, arbitrary redirection and session cookie hijacking. The Intel Security Center is home to advisories regarding security issues that affect Intel products. "Int... |
28 February 2009
05:01 GMT |
|
|
A hacker has disclosed several XSS flaws on free-av.com, online home to the free version of Avira AntiVir. The vulnerabilities that could have been used for redirection or hijacking session cookies have been patched by the antivirus vendor. The bugs in the Avira-controlled website have been discovered by a hacker go... |
25 February 2009
06:56 GMT |
|
|
Kaspersky Labs' website security comes under scrutiny again by vulnerability hunters, after a SQL injection vulnerability has been recently found. An ethical hacker has disclosed that three different pages from the German section of the Kaspersky website are vulnerable to cross-site scripting attacks. A hacker ... |
23 February 2009
05:28 GMT |
|
|
After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential... |
12 February 2009
04:07 GMT |
|
|
A new cross-site scripting vulnerability affecting the Facebook social networking website has been disclosed on the XSSed project's website. The flaw allows for injection of potentially malicious code. The XSSed project tracks XSS vulnerabilities and its archive contains over 30,000 of documented such flaws affe... |
5 January 2009
10:08 GMT |
|
|
Security researcher Russ McRee published on his blog details about a critical unpatched cross-site scripting vulnerability affecting the American Express website. He claims that he resorted to this after failing for two weeks to convince the company to fix it, despite significant efforts. According to Mr. McRee, he ... |
17 December 2008
09:15 GMT |
|
|
The XSSed project made public four different cross-site scripting vulnerabilities discovered by individual security researchers. The flaws affect the developers, applications, user registration, and iPhone login pages. The XSSed project is an important source of information regarding cross-site scripting (XSS) attac... |
16 December 2008
06:42 GMT |
|
|
The end of the past week brought with it a couple of new security tools from Microsoft, made available as free downloads. The Microsoft Code Analysis Tool .NET (CAT.NET) version 1 Community Technology Preview and the Microsoft Anti-Cross Site Scripting Library version 3.0 Beta went both live over the weekend, and are... |
15 December 2008
08:01 GMT |
|
|
A detailed XSS filter architecture and implementation article has been published on the Security Vulnerability Research & Defense blog. The main goal of the XSS filter integrated in IE8 is to prevent exploitation of cross-site scripting vulnerabilities without breaking the web.Cross-site scripting (XSS) is a type of ... |
21 August 2008
06:08 GMT |
|
|
If you use Internet Explorer 7 and Internet Explorer 7 on Windows Vista, you might fall in a freshly dug cross-scripting hole. The newly discovered vulnerability impacting Internet Explorer was reported by security researcher Aviv Raff. "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local ... |
16 March 2007
03:45 GMT |
|
|
|
|
