Day 4 and the first success

By paranoid February 5, 2011 security 1 Comment

I had 211 XSS when I started writing this series of blog posts, the total as of writing this post is 237. These vulnerabilities are so ubiquitous that I will contend it’s much much harder to find a web site that is actually safe to use.

Todays letter is the digit 2

The digit 2 is found in 7 domain names. One of those is google.tv2.dk. It’s been fixed a long time ago and I am sorry I forgot to take a screen dump. Don’t worry I have other examples which I can disclose later (2/11).

Todays domain is sm

Yeah that’s San Marino. I have found a single XSS there. It’s caused by the very common problem of not treated the value of an HTML attribute in this case the query parameter. All data received from the client should be treated before being echoed back.

A success

I was looking at this interesting new startup Yubico which has a hardware solution for secure login. Based on their very quick and competent response to the XSS I reported I have no doubt they know what they are doing. To be fair, they were not themselves in charge of their web site, but it got fixed really quick. Yay one less XSS out there. Hopefully by the end of this month these successes will outpace the finding of new vulnerabilities.

Tagged on: ,

One thought on “Day 4 and the first success

  1. Pingback: Day 6: Why can’t you fix this in less than a week? « Ugens udflugt…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>