Cross-Site Scripting

Prime pickings: Application security

Prime pickings: Application security

By

Applications provide the path to an organization's coveted assets. And even if they're not public-facing, they still can be a ripe target. We talk to Marcus Prendergast, CSO of ITG, for this month's cover story.

Mozilla releases Firefox 14 to close several major holes

By

Mozilla has issued patches for 14 vulnerabilities, four which are deemed "critical," in the latest edition of its Firefox browser.

PayPal to offer payment for finding security bugs

By

PayPal has joined the likes of Google and Facebook by announcing Thursday that it will begin paying researchers who discover vulnerabilities on its website.

Major software flaws in iPhones, iPads fixed in update

By

A difficult-to-find vulnerability, disclosed in March at Google's inaugural hacker competition, was among the iOS fixes.

Google to offer up to 20K prize for bug finds

By

Google has significantly increased its finder's fee for vulnerability researchers.

Adobe patches Flash because of ongoing attacks

By

A cross-site scripting vulnerability being exploited in the wild has prompted Adobe to issue an update to its Flash Player, a move that may catch security pros off guard.

Facebook identifies porn spam perpetrators

By

The social media giant is "pursuing the appropriate action" against those behind a wave of pornographic content that showed up on users' news feeds this week.

Flash to get update for zero-day bug

By

Adobe is rushing a fix for a Flash Player vulnerability that is being actively exploited to launch cross-site scripting attacks.

Gmail users targeted by Adobe Flash exploit

By

Hackers are actively exploiting a cross-site scripting vulnerability in Adobe's Flash Player, the company revealed Sunday.

New report finds most applications don't pass security tests

By

A new report from Veracode paints a grim picture of the security built into application software.

McAfee working to fix XSS, information disclosure flaws

By

McAfee's website suffers from a number of vulnerabilities, which could allow cross-site scripting (XSS) attacks and information disclosure, researchers warned this week.

WordPress update addresses vulnerabilities

By

Popular blogging platform WordPress on Monday released version 3.0.5 to patch a number of vulnerabilities that could allow a contributor- or author-level user to execute cross-site scripting attacks or siphon sensitive information. The company stated that the update also improves security of plug-ins "which were not properly leveraging our security API." US-CERT recommends that WordPress users install the update. - GM

Microsoft releases advisory for Windows scripting bug

By

Microsoft on Friday warned of a new Windows scripting vulnerability that could result in information disclosure.

WordPress to users: Put down the eggnog and patch

By

WordPress is urging customers to install the latest version of its popular blogging software to close a "core security bug" that could be exploited to launch cross-site scripting attacks against vulnerable installations. Version 3.0.4 fixes the "critical" issue, present in the HTML sanitation library, and is available for download. "I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for," Matt Mullenweg, WordPress creator, wrote in a blog post on Wednesday. "In the spirit of the holidays, consider helping your friends as well. - DK

Software assurance has reached a crisis point

By

Much of the software that the U.S. government is running can be successfully exploited, said Dan Shoemaker, professor at the University of Detroit Mercy, at SC World Congress last week.

Google extends bug bounties to YouTube, other sites

By

Google on Monday announced plans to extend its existing Chrome browser bounty program to cover some of its other properties, such as YouTube, Blogger and Orkut.

Websites suffer from 13 security flaws on average

By

The average website contains nearly 13 "serious" vulnerabilities, according to a report released this week by White Hat Security, a website risk management solutions provider. The report, which was compiled using data from more than 2,000 websites across 350 organizations, found that cross-site scripting and information leakage flaws were most prevalent, and websites belonging to large organizations - those with more than 2,500 employees - had the highest average number of serious flaws. In terms of industry, banking organizations had the least amount of vulnerabilities on average, followed by insurance and health care firms. — AM

Automated web attacks: Interview with Amichai Shulman, co-founder and CTO of Imperva

By

In a conversation with SC Magazine Deputy Editor Dan Kaplan, Amichai Shulman, co-founder and CTO of Imperva, introduces a new research initiative underway and addresses the automated methods now used by attackers to compromise legitimate websites.

Twitter fixes XSS flaw after being exploited

By

Cybercriminals this week took advantage of a cross-site scripting vulnerability on Twitter that since has been fixed, according to security researchers

Symantec secures its vulnerable "Hack is Wack" site

By

Security giant Symantec said it has secured its "Hack is Wack" contest website after researchers discovered it was riddled with vulnerabilities.

YouTube, iTunes hit in holiday attacks

By

Cybercriminals were out in full force over the Independence Day weekend, launching attacks on some of the world's most popular online destinations: YouTube and iTunes.

Researcher demonstrates Twitter XSS vulnerability

By

A Twitter user has demonstrated a cross-site scripting (XSS) vulnerability on the microblogging platform that could allow an attacker to take over users' accounts or spread malware.

Injection tops list of web application security risks

By

Injection flaws and cross-site scripting are the two most critical web application security flaws, according to the newly updated version of the OWASP Top 10.

Apache.org hit by targeted XSS attack

By

The Apache Software Foundation is advising users to change their passwords after hackers launched a successful attack against its infrastructure.

Google patches XSS hole in its Buzz social media platform

By

Google on Tuesday fixed a cross-site scripting (XSS) vulnerability in the "Google Buzz for mobile" website that could have allowed an attacker to hijack user's accounts.

Researcher demonstrates Pentagon XSS vulnerability

By

A cross-site scripting vulnerability affecting the Pentagon website is not a major security threat -- but it could turn into one, said a researcher who examined the bug.

Researcher finds "frighteningly bad" Adobe Flash flaw

By

A new point of entry has been discovered in Adobe Flash that allows attackers to infect any website which permits visitors to upload content, a researcher claims.

Study finds 64 percent of websites contain serious flaws

By

Web application vulnerabilities remains the primary avenue of attack for cybercriminals, according to a new report.

Reddit succumbs then cleans up from XSS attack

By

Reddit is the latest Web 2.0 site to be slowed by a cross-site scripting attack.

Twitter XSS vulnerability not yet fixed

By

Because of the bug, an attacker could potentially capture account credentials, redirect a user to any site, alter a user's tweets or followers, or send messages from a compromised account.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US