Articles about xss

Lloyd's Horse logo on building

Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk

A pair of IT workers have criticised banks within the Lloyds Banking Group (LBG) for substandard security. The group denies anything is amiss, maintaining it follows industry best practice on cyber-security. Each of the three LBG banks – Lloyds, Halifax, and Bank of Scotland – has implemented transport layer security by …
John Leyden, 20 Sep 2018

Criminal mastermind injects malicious script into Ethereum tracker. Their message? '1337'

Ethereum-tracking website Etherscan has resolved a cross-site scripting issue on its domain. Though among the world's top-2,000 websites (1,379th per Alexa), Etherscan fell foul of one of the net's most common security slip-ups. Cross-site scripting (XSS) refers to when a hacker is able to inject a script into a vulnerable …
John Leyden, 25 Jul 2018

uBlock Origin ad-blocker knocked for blocking hack attack squawking

Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks. At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting. It's …
John Leyden, 17 Oct 2017

Microsoft won't patch Edge browser content security bypass

Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch? Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft". Grødum posted news of Microsoft' …
Poison pill

Aruba AirWave admin? Get the latest patch

Aruba AirWave systems need patching against multiple bugs in their control interface. Posted to Full Disclosure by SEC Consult, there are two problems with the kit: an XML External Entity Injection attack; and a reflected cross-site scripting (XSS) attack. Both can be exploited remotely. In CVE-2016-8526, the XML parser used …

'I found a bug that let anyone read anyone's Yahoo! Mail and all I got was this $10k check'

A security researcher says he bagged $10k after discovering and reporting a serious flaw in Yahoo! Mail that could have been exploited by crooks to read victims' messages. Jouko Pynnönen says he reported the vulnerability in Yahoo! Mail via bug-bounty organizers HackerOne. "The impact of the bug is similar to the one I …
John Leyden, 9 Dec 2016
Alan Turing (Benedict Cumberbatch) and the Bombe machine

Bletchley Park Trust vows to shore up insecure website

The Bletchley Park Trust has promised that a website revamp due in January will address security concerns highlighted by a security expert on Sunday. Paul Moore slammed the site, which was home of the WWII Enigma codebreakers, for all manner of security shortcomings including emailing password resets and vulnerabilities to the …
John Leyden, 29 Nov 2016
Image: Majivecka and Slobodan Djajic / Shutterstock

Google tries to cross out XSS attacks by releasing its own test tool

Google has spent more than US$1.2 million (£920,400, A$1.6 million) in the last two years paying researchers for reporting cross-site scripting (XSS) attacks and has kicked off an effort to help crush the threat. XSS attacks are one of the most pervasive and enduring web application security threats because they allow …
Darren Pauli, 27 Sep 2016

GoDaddy plugs account hijack XSS vulnerability

Domain registrar GoDaddy has patched a blind XSS vulnerability in its customer support that could have allowed access to GoDaddy accounts. Uber security man Matthew Bryant (@IAmMandatory) reported in a personal capacity the bug he says was located in an internal support panel. A payload he uploaded and then forgotten had …
Darren Pauli, 10 May 2016

Zen Cart admins: Don't skip version 1.5.5

If you missed the March 17-issued patch for shopping cart application Zen Cart, get busy, because among other things it fixed serious cross-site scripting (XSS) vulnerabilities. Trustwave, which turned up the bug last September, made it public last Friday. Zen Cart reckons the vulnerability was closed before it was exploited …

VMware vRealizes that vRealize has XSS bugs on Linux

A tricky Tuesday for VMware's vRealize products, which have received the first maintenance release for version 7 and also become the subject of a security alert. Let's do the alert first, as it explains that several vRealize products have a pair of cross-site-scripting bugs that could compromise a user's workstation. The mess …
Simon Sharwood, 16 Mar 2016

Yahoo! Mail! Had! Nasty! XSS! Bug!

A stored XSS vuln in Yahoo! Mail has netted Finnish researcher Jouko Pynnönen of Klikki Oy a US$10,000 bug bounty. Pynnönen turned up the bug with a bit of old-fashioned brute force: he fed the system an HTML e-mail containing “all known HTML tags and attributes” to see what survived the Purple Palace's filters. What's …
PayPal inStore app in action

Unconfirmed PayPal 0day auth flaw lingers after XSS gets fixed

Two vulnerabilities in popular payments platform PayPal emerged this week. A cross-site scripting flaw affecting the web payment service was fixed last month, but another flaw is yet to be resolved. The unresolved vulnerability creates a means to bypass the security approval procedure and two-factor authentication applied by …
John Leyden, 4 Sep 2015
Marc Benioff of Salesforce. Pic: Techcrunch

Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – …
John Leyden, 14 Aug 2015

XSSposed launches pay-whatever bug bounty

Cross-site scripting war board XSSposed has opened a pay-whatever bug bounty to help its hackers earn cash and tee-shirts. Launched overnight, the program lets anyone register their interest in hearing about vulnerabilities for any web property. They then have the opportunity to pay researchers for the finding. Admins who …
Darren Pauli, 7 Jul 2015

US National Vulnerability Database contained ... yup, an XSS vuln

The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week. The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself …
John Leyden, 18 Jun 2015

eBay year-long patch stall a little XSSive, researcher says

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay's messaging service that lets attackers target victims through messages. The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as …
Darren Pauli, 30 Apr 2015

Comments considered harmful: WordPress web hijack bug revealed

A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts. The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments …
Iain Thomson, 27 Apr 2015

Create a news alert about xss, or find more stories about xss.

Biting the hand that feeds IT © 1998–2018