My good (and hilarious I might add) friend Arian Evans from Whitehat Security sent this link out to a few people. Arian has a flair for the comedy - you’d just have to spend some time with him to really understand what I mean. The link made me laugh and thereby I am now sharing it with you. The link is to a QuickPlace XSS filter protection on IBM’s website. The irony here is that the link describing the virtues of XSS filtering is vulnerable to XSS. Oh what sweet irony.
Of course, it’s not really a huge deal, so much that it really is kind of embarrassing and exactly the reason why you should have someone who knows what they are doing looking at your security. In this case the XSS was injected into the xml:lang=… parameter. There’s a first! It’s an easy one to fix, and I’m sure it will be gone soon enough, but the irony almost made laugh so that I almost spit water out of my nose when I saw it. The moral of the story? Make sure to check your site for the vulnerability you claim to be able to prevent in your products.