The CIA Hack...still working.

Noah Schiffman — Mon, 21 Apr 2008 10:36:22 -0400

Once this vulnerability was submitted by Harry Sintonen to Wired's Threat Level last week, it's been spreading like wildfire throughout the web. Discovery of a new XSS is nothing new, but does become noteworthy when it involves a domain like CIA.gov. While not a site 0wning exploit, it is an embarrassing example of poor input validation.

A search form at their site provides the unfiltered option to inject script running character strings. The query is processed and your customized site appears (at least that seems to be what most people are using it for-for those with more malicious intent....good luck, you'll probably win a free ride

Read more

IBM software attacks critical application security issues

Layer 8 — Tue, 13 Nov 2007 10:32:48 -0500

IBM today introduced software it says will help customers protect Web applications from attack, particularly from the nefarious "cross site request forgery" in which an attacker can fake a request to a site gaining access to sensitive information.

Read more

cross site scripting

The CIA Hack...still working.

IBM software attacks critical application security issues