Wednesday, April 7, 2010

New category of XSS attack -- so what?

In DarkReading ( there is a current article about a new type of XSS attack that exploits services that provide networking data, where malicious data is stored in TXT records or other back-end things and are then returned by a service where it is executed on network admin screens.

Uh...this is no different than any other XSS attack. Sure, new category. Sure, really tough to find. But hellooooo? You have input from an untrusted source (data file) that you are taking and displaying to a screen. Service developer, scrub your output! Network app screen developer, encode your output! Duh!!! Come on people. This just shows that we need to be aware that hackers are going to a deeper and deeper level in our systems. As we patch our brochureware sites, they are going to the network folks that don't care to be security developers. But we have the responsibility to do it right.

And it is easy. Please encode and stop XSS!

No comments:

Post a Comment