My first rickroll

Every time I find an XSS I always save it in Delicious. The other night I did the same but something was different. The “save bookmarks” dialogue looked a little messed up. Upon investigation I found an XSS on Delicious itself. Here is how it looked The problem was fixed less than 10 hours later. […]

Day 27: Cross-site scripting vulnerability at hulu.com

Like any good security vulnerability this one starts with a good friend suggesting a link, this time a tv-show on Hulu. Since it’s XSS awareness month my attention immediately went to the search box. I entered same query which showed a vulnerability at .apple.com (hey Steve/Apple, since I am not being credited with the find, […]

Day 24: Cross-site scripting vulnerability (XSS) at .apple.com

Powerful big companies or tiny small startups, we are all e potentially vulnerable to cross-site scripting attacks. I recently notified Bagcheck about an XSS. 7mins after the notification I received an email from bagcheck: Thanks, will fix it shortly…. Deployed. Really appreciate the heads up, 7mins for a full cycle to fix a security vulnerability […]

Day 19: Cross-site scripting vulnerability at netflix.com

Doing a little research before a movie night I was looking thru the Netflix movie database. I couldn’t really decide which movie to watch, so I looked for completely unrelated stuff. In this case I entered a query which has served me well (300 and counting XSS): Zhivago”><script>alert(’00ps’)</script> Ok I don’t normally use Zhivago ;). […]

Day 7 and 8: Safer Internet Day

Earlier this week I was made aware that everybody in Denmark got a copy of the “Net Sikker Nu” magazine. It’s part of a yearly campaign to educate users how to keep safe on the internet. Just Today (February 8) was Safer Internet Day in Europe. There is plenty of good advise. eg. “Don’t click […]

Day 6: Why can’t you fix an XSS in less than a week?

In Day 4 and the first success I wrote about how Yubico.com responded and fixed the vulnerability I found in their web site. I have had other site owners respond and fix vulnerabilities. The vulnerabilities which have been fixed have all (1 exception) been fixed in less than a week. Receiving an externally reported security […]

Day 5: The most popular vulnerabilities

Vulnerability statistics When I started this research I had no idea what I was looking for I just did it for the thrill of discovery or fun. After a while I thought I could perhaps learn something by classifying the vulnerabilities. I used “view source” to see exactly why the XSS was triggered and then […]

Day 4 and the first success

I had 211 XSS when I started writing this series of blog posts, the total as of writing this post is 237. These vulnerabilities are so ubiquitous that I will contend it’s much much harder to find a web site that is actually safe to use. Todays letter is the digit 2 The digit 2 […]

Obligations

Due to a bad cold I was not able to post anything yesterday. Rest assured that you will not miss any of the daily letters nor any of the TLDs. Yesterdays letter was z The letter z is found 5 times. One occurrence is from a framed search on Eurocard. This was fixed very rapidly […]

Cross-site scripting awareness month

I am going to declare February my personal Cross-site scripting (XSS) awareness month. It’s short enough that writing a post every day is manageable. Although I have no detailed plan what to write about I think with 199+ vulnerabilities should be sufficient material to find something to write about. The first 180 vulnerabilities were collected […]