Just a quick post about a number of high value websites with vulnerabilities in them. I tested several of them and sure enough, they were working last night. Securitylab.ru published an email about Netcraft in particular being vulnerable to cross site scripting. It’s pretty embarrassing to be a security company dealing with web technologies and have one of these types of mistakes in your website. Having perfect web application security just isn’t that easy. There’s no single API to call, or method to use. You can’t just include webappsec.php. It’s a shame you can’t. Anyone want to take a stab at overwriting all the functions in PHP with secure ones? Of course, then you need PERL and ASP and all the others.

You know, and I’ll be honest here, (time for some humility) I’ve found XSS holes in my own stuff before after I audited it, when I was being particularly careless. It’s really next to impossible to get it perfectly right every single time unless you are really paying attention to input validation and output encoding to ensure your are protected against this.

Anyway, nice job Valery Marchuk. Some good finds there!

This entry was posted on Thursday, August 3rd, 2006 at 8:10 am and is filed under XSS, Webappsec. You can leave a response as well.