Monday, May 14, 2007

XSS The Planet

Yet another initiative proving that major sites indeed suffer from XSS vulnerabilities in exactly the same fashion E-banking sites do. Perhaps the most interesting point regarding the list is that it's from 2005 and some of the sites still remain vulnerable but why is that? Lack of internal incentive programs to deal with the problem? Not getting the necessary attention given the rise of the lost laptop with unencrypted data issue? A lack of common sense is the best alternative for me. Consider the perspective - its like utilizing quantum encryption for the sake of protecting the confidentiality of your data but remaining vulnerable to wardriving attacks capable of obtaining the data in a pre-encryption stage, even on the fly. The encrypted data myopia is on the rise and it's the result of a yet another "stolen laptop news article" emphasizing on current and ignoring the emerging trends, namely, that a mobile workforce's improved productivity is proportional with the insecurities coming from storing sensitive data in a less controlled external environment. There's no point in implementing state-of-the-art technology when you haven't taken care of the basics, such as the ones that are so easy to exploit even a script kiddie can become the next pentagon hacker bruteforcing passwords on an unclassified system. And yes - trivial XSS ones too.

Currently active URLs on the list are the following:
Nortel.com
Federal Deposit Insurance Corporation
JC Penney
SonyStyle.com
D-Link.com
Poetry.com

No comments:

Post a Comment