XSS Vulnerabilities Abound

Recent attacks against high-profile Web sites show that developers still don't have a handle on XSS (cross-site scripting) vulnerabilities--but miscreants do. In late July, Netscape.com was defaced by vandals who used an XSS attack--in which a dynamic Web page accepts and displays malicious input from users--to display pop-up messages encouraging visitors to surf to another site. MySpace.com also has been hit with XSS attacks. Security vendor F-Secure recently discovered more than half a dozen potential XSS vulnerabilities on two popular social networking sites (the company declined to identify the sites).

If they haven't already, it's time for your Web developers to get a crash course in XSS. At the very least, run a Web application vulnerability scanner and prune the low-hanging fruit--before an enterprising attacker plucks it for you. --Andrew Conry-Murray, [email protected]