Steve.org.uk

With the complexity of websites these days, and the way that we rely upon their security for storing our details and correspondance security testing of websites is at least as important as the testing of software for issues.

Websites differ from programs in many important respects:

• We don't get to see the source to the server-side components.
• Things like buffer overflows are extra-ordinarily rare.

But there are particular attacks which are common, such as SQL Injections and "Cross Site Scripting" (XSS) issues.

I put together a brief XSS tutorial illustrating the basic principle, and below you can see some XSS issues I reported against popular websites.

I've been responsible for the discovery and correction of several XSS attacks against popular websites, here are just some of them:

• Advogato.org Scripting Attack
• Advogato.org attribute Attack
• Freshmeat.net Scripting Attack
• OSNews.com - URI Attribute Attack
• Quizilla Scripting Hack