US Government Security Site Vulnerable to Common Attack
14th December, 2005
The U.S. government site that tracks cyber security risks was recently found vulnerable to cross-site scripting, a technique commonly used in hacker attacks and web site spoofing. Several security sites have published a demonstration of the security hole in the web site for the National Institute of Standards and Technology (NIST), which hosts the U.S. National Vulnerability Database, which ironically includes numerous examples of cross-site scripting.
The Netcraft Toolbar blocks common cross-site scripting attacks, protecting users from coding weaknesses in trusted sites, including the NIST flaw. "That was the first time when a trusted, security-related site generated a Block XSS? message to me," noted security researcher Juha-Matti Laurio, a frequent contributor to security community resources on the web.
Web programmers can prevent most cross-site scripting attacks by validating form input and potential modifications to URLs, and ensuring that all user data is correctly encoded before it is displayed or stored.