Wednesday, April 7, 2010

darkreading.com vulnerable to persistent XSS injected in published articles

...or 'When re-publishing app security material helps discovering vulnerabilities in the publisher's Web application'...

darkreading.com published on 6th of April an article which describes 'meta-information XSS' (see 'Researcher Details New Class of Cross-Site Scripting Attack', available at http://darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224201569").

The original article included a classic XSS test case, namely <script>alert(1)</script>. As a result of an existing XSS vulnerability in the darkreading.com web site, the XSS test case above turned out to be inadvertently a successful one, as shown below:



Following a brief notice I sent today to Timothy Wilson (editor at darkreading.com), he confirmed the issue, also mentioning that it is now fixed.

The HTML code from the original post (including the cited XSS test case):
a DNS TXT record that contains the value "<script>alert(1)</script>" and a service

The HTML code for current version of the article:
a DNS TXT record that contains [a certain value] and a service

With the same article being reproduced by a significant number of online publications, it could be interesting to see how many other are also affected.



18 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Si vous avez des litiges ou des questions d’ordre juridique, n’hésitez pas à demander les services des conseillers juridiques
    conseil juridique en ligne

    ReplyDelete
  3. Nous vous offrons des serrures toutes enseignes ou réparations de rideaux de fer, et ouverture de portes fortes en pays de porte ensuite effraction blindage de porte pour jugement d'un accès de clés facile ou de sécurité par le serrurier Athis Mons.

    ReplyDelete
  4. http://expresschauffagisteparis.fr/

    ReplyDelete
  5. The field of medical software development requires decades of experience. We as experts, we specifically provide data analysis services to help medical providers make accurate decisions and better understand activities in their medical organizations. We offer a range of software and services for general practitioners and specialists, health centers or healthcare ...

    ReplyDelete