Cross Site Scripting (XSS)

WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked

Updated:

5 June 2009

What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.

The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.

However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.

Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.

Add new comment

WHID 2009-37: Twitter XSS/CSRF worm series (Updated)

Updated:

19 April 2009

Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, admitted to hacking his giant competitor by implementing a series of worms. The first one propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for. Even more, Mookey even got a job as a security analyst following the worm series.

Mikeyy's worms are a good example of how CSRF and XSS can be combined to create a strong blended attack,

Add new comment

WHID 2009-33: eBay Fraud Abuses Zero Day XSS

Updated:

10 March 2009

A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

Add new comment

WHID 2009-26: F-Secure Joins The Breached AV Vendors Club

Tagged:

F-Secure

Updated:

19 February 2009

It wasn't surprising that after attacking a Kaspereski and a BitDefender web sites,another anti-virus vendor would follow

Add new comment

WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS

Updated:

19 February 2009

While many WHID entries are interesting for their impact, this one is very interesting for the its technical aspects. Not everyday XSS is used to spoof DNS

Add new comment

WHID 2008-58: New Orkut Worm in Brazil

Updated:

11 February 2009

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

A worm is now considered an attack method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

Add new comment

WHID 2008-54: Hacker Redirects Obama's site to Hillary Clinton's

Updated:

19 January 2009

Netcraft reports that a hacker managed to redirect traffic from Barak Obama's web site to Hillary Clinton's site during the primaries held between the two.The culprit, an XSS bug in the Obama's site community blogs section, highlights the danger of user contributed content to web sites.

An interesting side story is that Oliver Friedrichs from Symantec was quoted in a Computer World article only a week earlier saying that presidential campaign web sites are "clueless" about security. Was this a prophecy of or the trigger for the hack?

Additional technical information can be found on XSSed.

Add new comment

WHID 2001-4: Hacked Web site damaged PCs in Japan

Add new comment

WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability

Add new comment

WHID 2006-41: Making money with MySpace bulletin system!

Add new comment

Latest Stories

WAFs are not perfect, but is any security tool perfect? (Feb 9th 2010)
Forrester estimates the WAF market to be $220M in 2010 (Feb 9th 2010)
ModSecurity exceptions for TYPO3 (Jan 20th 2010)
Presentation about WAFs in the cloud (Jan 15th 2010)
The curse of PCI for WAFs (Jan 11th 2010)
A New Year, a New Acronym (Jan 9th 2010)
A Remote Command Injection Vulnerability Applicure's dotDefender Site Management. (Dec 10th 2009)

Navigation

Subscribe:

Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.

Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.

Xiom is a community web site lead by Ofer Shezaf.

Xiom.com

The Web Application Firewalls Information Center

Cross Site Scripting (XSS)

WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked

WHID 2009-37: Twitter XSS/CSRF worm series (Updated)

WHID 2009-33: eBay Fraud Abuses Zero Day XSS

WHID 2009-26: F-Secure Joins The Breached AV Vendors Club

WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS

WHID 2008-58: New Orkut Worm in Brazil

WHID 2008-54: Hacker Redirects Obama's site to Hillary Clinton's

WHID 2001-4: Hacked Web site damaged PCs in Japan

WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability

WHID 2006-41: Making money with MySpace bulletin system!

WAF Resources

Latest Stories

Navigation