24
Aug
07

DISCLOSURE: XSS Fun

post info

By A. Ely
Categories: a. ely, security and vulnerability

If we are going to release security flaws which might lead us into an industry shakedown, we may as well go for the trifecta.

NASDAQ 
Johnson & Johnson

Yes, these have been disclosed/reported to the hosts with adequate time allowed for acknowledgment. The NASDAQ one is quite intriguing since you can rewrite the site's html source.

When will programmers learn to write secure from day one?

2 Responses to “DISCLOSURE: XSS Fun”

Feed for this Entry Trackback Address View blog reactions
  1. 1 mybeNi websecurity Aug 25th, 2007 at 3:02 pm

    … why post 2 xss flaws? there are millions out there :>

  2. 2 A. Ely Aug 26th, 2007 at 7:24 pm

    @mybeNi: For purposes of full disclosure so people are aware of the issue. Hopefully, through awareness people will not be fooled if the sites are used for fraudulent purposes.

Leave a Reply

« Snatching Protected MySpace Music Using Safari
REVIEW: Summercon 2007 »
August 2007
M T W T F S S
« Jul   Oct »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Months

Recent Entries

Worth Reading

    robert hansen [rsnake]
    (sectheory)

  • More McAfee Snakeoil Ranting - I know a lot of people are just tired of the same old PCI ASV rant that really surfaced last year, but I got an email today and I thought it was worth a re-post. Mike Bailey sent this over and I
    Read more...  


    • chris eng, chris wysopal [weldpond] &
    christien rioux [dildog]
    (veracode)

  • (ISC)2?s Newest Cash Cow: The CSSLP Certification - Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional
    Read more...  


    • spacerogue

  • Fake Story Still Fake, Media Still Clueless - About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command
    Read more...  


    • dan kaminsky
    [ioactive, inc.]

  • [cite required] - Someone asked for a cite on the Consumer Reports claims in my Black Hat 2008 slides.  I went and tracked this down, and I actually picked this up from the Meandering Wildly blog.  Looks like I
    Read more...  


    • dino dai zovi

  • Dead Bugs Society: Apple File Server - For today’s installment of Dead Bugs Society, I’m going to dig up another one of my favorite exploits.  This exploit is actually the second exploit that I wrote for the Apple File Server
    Read more...  


    • amrit williams

  • Gartner DOES have a sense of humor - sometimes - Greg Young (here) and John Pescatore (here) have started blogging on the Gartner Blogging network and many of the posts are both enlightening and humorous, such as this post from Greg Young on how to
    Read more...  


    • dave goldsmith, jeremy rauch,
    thomas ptacek & chris rohlf
    [matasano chargen]

  • Detecting Anonymizing Proxies - Anonymizing proxies are often used by people who wish privacy, or to circumvent access controls. High profile political cases such as circumventing the Great Firewall of China and the protection of
    Read more...  


Blogroll