Today NIST.org (not related to NIST.com) published an article on XSS. John and I have been exchanging emails for a while and I think he finally felt like he knew enough to write a really thorough article on cross site scripting attacks - and that he did. It’s a pretty good read if you are an old hat at Security but new to the web application security space or to cross site scripting in particular. He also spends a good chunk of the article talking about not just the attack but what it’s actually used for (primarily phishing and credential theft), which is something I don’t spend much time talking about.
Along with his article he also put together a compendium of some of the cross site scripting vulnerable websites out there. This is something we’ve talked about doing before, but it’s good to know someone else has taken it upon themselves to build it out, unlike the sla.ckers.org full disclosure forums which are a tad unwieldy to say the least as there is a lot of chatter there.
Anyway, it’s a good article coming from NIST, and I’m really glad the concept has gotten more attention from the people who help inform other people of the risks. Now, let’s try to fix the holes that we found!