False Start for Cyber Security Challenge?

A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.

Ironically, the programme has been established by a management consortium of key figures in cyber security, and is designed to identify and nurture the UK's future cyber security workforce.

The simple coding error was demonstrated a short while ago by James Wheare. It is not clear whether this security vulnerability is part of the challenge, but we suspect not.

Mr Wheare told Netcraft that he was prompted to look for the hole after reading a friend's tweet, and noticed insufficient encoding in the page's <title> and <h2> tags.

Users of the Netcraft Toolbar are protected against cross-site scripting (XSS) attacks like these, which could otherwise be used to launch cross-site request forgery (CSRF) attacks, modify the content of pages on the Cyber Security Challenge website, or steal session identifiers from victims.

challengefail.png

Netcraft also provides a comprehensive range of internet security services which identify vulnerabilities such as cross-site scripting in web applications. Netcraft has informed Cyber Security Challenge UK about the vulnerability.