Cenzic 232 Patent
Paid Advertising
web application security lab

Netscape.com XSSed Due to Failure to Act

Phaithful sent me this link to Threadwatch talking about Netscape’s recent cross site scripting hole. This attack went beyond just a simple XSS proof of concept, but rather, changed the face of Netscape by creating a dialogue box with an obscenity in it. Pretty bad for your brand, I’d say. It appears to be fixed, but it just goes to show how serious these types of web application security issues can be for your branding, let alone what the attackers could have done, given how many people have that set to their homepage. The potential for disaster is tremendous, if it had been used in a more destructive manner, than a simple defacement.

The stored cross site scripting attack vector may not be the most common, but in this case it was probably one of the most dangerous. Here is David “Aesthetico” Vieira-Kurz’s explanation of the hack (I do not believe he was the one who defaced them, but he was the one to disclose).

2 Responses to “Netscape.com XSSed Due to Failure to Act”

  1. XSS dude Says:

    I dont get it, how did they get the JS code to the frontpage ?

  2. RSnake Says:

    Apparently Netscape’s version of Digg was vulnerable to cross site scripting (or HTML injection anyway). The way I understand it, that widget was/is at least sometimes exposed to the main page. When it got higher in popularity it showed more often on the main page, and therefor got presented more often - thereby defacing it more often. It wasn’t persistant, but based on it’s virulance it became fairly well seen.