XSS – Oh Dear

8 Mar
2007

Yesterday I got a friendly email in the iBegin inbox. In a very professional manner, the person informed me of a Cross Site Scripting (XSS). I responded immediately, and a day later popped in the email. It was a simple example – with a certain string, my search page popped a nice JS error saying ‘XSS!’

This was rather bewildering. I have spent a lot of time researching over such holes, and here I was the victim of my own.

The end result was less spectacular than I had been fearing – when adding in the ad-code for Google, I had opted to use the ‘hint’ option. In my rush, I had never filtered the part where I dynamically inserted the keyword the user had searched for. And just like that a nasty nasty XSS hole was borne.

XSS is bloody scary. Basically with that info they can extract a lot of user info, allowing them to effectively take over their behavior. Heck MySpace was literally brought to its knees by a little XSS hack. And protection against XSS is like building a fortress – if your fortress even has one little hole in it, you are in trouble.

I’ve already mentioned how most ‘programmers’ on the web are crap. When you mix JavaScript in, thats like asking to be messed with.

Comments are closed.

top