24
Aug
07

DISCLOSURE: XSS Fun

post info

By A. Ely
Categories: a. ely, security and vulnerability

If we are going to release security flaws which might lead us into an industry shakedown, we may as well go for the trifecta.

NASDAQ 
Johnson & Johnson

Yes, these have been disclosed/reported to the hosts with adequate time allowed for acknowledgment. The NASDAQ one is quite intriguing since you can rewrite the site's html source.

When will programmers learn to write secure from day one?

2 Responses to “DISCLOSURE: XSS Fun”

Feed for this Entry Trackback Address View blog reactions
  1. 1 mybeNi websecurity Aug 25th, 2007 at 3:02 pm

    … why post 2 xss flaws? there are millions out there :>

  2. 2 A. Ely Aug 26th, 2007 at 7:24 pm

    @mybeNi: For purposes of full disclosure so people are aware of the issue. Hopefully, through awareness people will not be fooled if the sites are used for fraudulent purposes.

Leave a Reply

« Snatching Protected MySpace Music Using Safari
REVIEW: Summercon 2007 »
August 2007
S M T W T F S
« Jul   Oct »
 1234
567891011
12131415161718
19202122232425
262728293031  

Months

Recent Entries

Worth Reading

    robert hansen [rsnake] (sectheory)

  • XSSFilter Released - You may have already seen the news about the new XSSFilter in IE8.0 but I wanted to echo it here as well, because it’s a pretty major new release. It does a great job of preventing most of the
    Read more...  


    • chris eng, chris wysopal [weldpond] &
    christien rioux [dildog] (veracode)

  • The Government?s Top Hackers? - Popular Mechanics recently published an article about the NSA Red Team, which caught my interest, having been a part of that organization for a short stint back in early 2000. The article does a
    Read more...  


    • amrit williams

  • AV Industry on the Run - All too accurate cartoon from Ikarus Security Software, brought to my attention from Dancho Dankev (here), who has become one of my favorite bloggers to read.
    Read more...  


    • dave goldsmith, jeremy rauch &
    thomas ptacek [matasano chargen]

  • CitySec Updates And Now More Ways To Stalk Us! - STLSec. Shawn @ Agurasec yelled at me for not letting everyone know that St. Louis has an active CitySec meetup: The next STLSec is July 10 @ the Fox and Hound. Be there or be square. We had a
    Read more...  


    • bruce schneier [bt]

  • Friday Squid Blogging: Giant Squid Found off Santa Cruz Coast - It's twenty-five feet long, with tenticles the size of human legs....
    Read more...  


    • spacerogue

  • CitiBank Card Numbers and PINS Stolen in Server Breach - Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less
    Read more...  


    • dino dai zovi

  • ARDAgent.app Vulnerability Analysis - Apple recently released Mac OS X 10.5.4 with accompanying security updates for 25 vulnerabilities.  Notably absent, however, is a fix for the recently brouhaha’d ARDAgent.app local privilege
    Read more...  


Blogroll