Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] US Government Security Site Vulnerable to Common Attack

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] US Government Security Site Vulnerable to Common Attack
Date: Sun, 18 Dec 2005 14:39:22 -0600 (CST) 
http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html

By Rich Miller
December 14, 2005

The U.S. government site that tracks cyber security risks was recently
found vulnerable to cross-site scripting, a technique commonly used in
hacker attacks and web site spoofing. Several security sites have
published a demonstration of the security hole in the web site for the
National Institute of Standards and Technology (NIST), which hosts the
U.S. National Vulnerability Database, which ironically includes
numerous examples of cross-site scripting.

Cross-site scripting (XSS) is a well known technique which involves
injecting the text of code to be executed by the browser into urls
that generate dynamic pages. Attacks using XSS have been found by
security researchers in a wide variety of products and specific sites
in recent years. The cross-site scripting vulnerability in the NIST
site was found in a script that warns visitors that they are about to
leave the NIST site, a common practice on U.S. government sites. The
NIST script allows potentially malicious Javascript to be appended to
the URL and executed by the browser, a technique which works in
Firefox and Internet Explorer. The flaw was originally reported by the
RootShell Security Group. Staff at the NIST web site closed the
security hole after being contacted by people who saw the RootShell
posting.

The Netcraft Toolbar blocks common cross-site scripting attacks,
protecting users from coding weaknesses in trusted sites, including
the NIST flaw. "That was the first time when a trusted,
security-related site generated a Block XSS? message to me," noted
security researcher Juha-Matti Laurio, a frequent contributor to
security community resources on the web.

Web programmers can prevent most cross-site scripting attacks by
validating form input and potential modifications to URLs, and
ensuring that all user data is correctly encoded before it is
displayed or stored.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] US Government Security Site Vulnerable to Common Attack, InfoSec News <=
Previous by Date:  [ISN] Defense seeks industry input for authentication infrastructure, InfoSec News
Next by Date:  [ISN] Secunia Weekly Summary - Issue: 2005-50, InfoSec News
Previous by Thread:  [ISN] Defense seeks industry input for authentication infrastructure, InfoSec News
Next by Thread:  [ISN] Secunia Weekly Summary - Issue: 2005-50, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]