Archive

Archive for the ‘XSS’ Category

Italian develops first multi-site web-mail worm

July 13th, 2007 zdnet.co.uk No comments

An Italian security researcher this week has developed the first web-based email worm capable of taking advantage of cross site scripting (XSS) vulnerabilities in multiple web-mail services.
Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja Connection, could spread faster than a worm targeting only a single web-mail provider, he said.

Read more…

Categories: XSS Tags:

Child porn targeting forums using web script

June 15th, 2007 computerworld.com No comments

Sophos says Java-based content is to blame. Child pornography is being injected into web forums by hackers using Cross Site Scripting (XSS), a technique typically deployed to distribute malware. According to Sophos principal virus researcher Fraser Howard, the attacks occur because many websites allow Java-based content on their forums, or do not require adequate user authentication for posting.

Read more…

Categories: General News, XSS Tags:

Gmail Flaw Invites Hackers to Your Private Messages

June 6th, 2007 newsnow.co.uk No comments

One of the most popular mail solutions on the Internet, Google’s Gmail, was again affected by a vulnerability that can permit an attacker to view or delete some of the messages stored into an account. The Mountain View company’s employees were quite quick in fixing the flaw and managed to repair it in a few hours since it was reported. Basically, the vulnerability could be exploited through a malicious page that provided the attacker the access to the Gmail account. As The Hacker Webzine reports, it is extremely dangerous because the giant Google keeps all its web-based services such as Calendar, AdWords and Gmail on the same sign-on technology. Using a simple vulnerability discovered in the mail solution, the hacker would be able to access all these services.

Read more…

Categories: Random Security, XSS Tags:

Cross-Site Request Forgery: the Sea Surf

June 6th, 2007 playhack.net No comments

Today we talk about Cross Site Request Forgery (also known as XSRF) abbreviated in CSRF, from which pronounce has come the friendly name “Sea Surf” ;) Following the previous papers on Cross Site Scripting written by me, i thought it was an obvious step to deal with this theme: here i am then! This kind of vulnerability, which is very common and understimated, permits to make a victim user to send any kind of HTTP request to a website in which he is logged in and trusted in some way.

Read more…

Categories: Articles, XSS Tags: