darkreading.com published on 6th of April an article which describes 'meta-information XSS' (see 'Researcher Details New Class of Cross-Site Scripting Attack', available at http://darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224201569").
The original article included a classic XSS test case, namely <script>alert(1)</script>. As a result of an existing XSS vulnerability in the darkreading.com web site, the XSS test case above turned out to be inadvertently a successful one, as shown below:
Following a brief notice I sent today to Timothy Wilson (editor at darkreading.com), he confirmed the issue, also mentioning that it is now fixed.
The HTML code from the original post (including the cited XSS test case):
a DNS TXT record that contains the value "<script>alert(1)</script>" and a service
The HTML code for current version of the article:
a DNS TXT record that contains [a certain value] and a service
With the same article being reproduced by a significant number of online publications, it could be interesting to see how many other are also affected.
Posts
