Nowadays, it is becoming more and more difficult to click on some links published by a friend or even by a well-known site. More and more, great sites are showing flaws in their pages, some with fast corrective action, like the example of XSS recently found ( http://www.xssed.com/news/95/Google_SSL_page_vulnerable_to_XSS/ )while others ignore warning e-mails received from people who found such flaws.

Just to point out some names highlighted on the internet in these last weeks regarding security flaws:

– Mcaffee

Displayed with an aggressive title: “Mcaffe enabling malware distribution and fraud”

Link: http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.php

– Google

XSS on Google’s https page, what we may consider a terrible opening for session stealing (here our compliments to Google’s team for their quickness in their corrective actions).

Link: http://www.xssed.com/news/95/Google_SSL_page_vulnerable_to_XSS/

– Foundstone Support

It is vulnerable to Cross-Site Framing.

Link: http://skeptikal.org/screenshots/pci-asv_vulns/support.foundstone.com_XSF.png

If you use twitter and love seeing flaws on the web, just take a look at http://twitter.com/XSSExploits and you will see security flaws being commented on, in sites like:

– CNN

Link: http://edition.cnn.com/

– ESPN (still vulnerable, until the day this article was written).

Link:
http://search.espn.go.com/results?searchString=chat&ref=http://sports.espn.go.com/chat/chatESPN?event_id=13330%22%3E%3Cscript%3Ealert(%27XSS%27);%3C/script%3E&404=true

– CBS (still vulnerable, until the day this article was written).

Link:
http://www.cbs.com/primetime/the_unit/video/video.php?cid=446409735&pid=Vs6yBRgqMDQz0mt1iVgHowjlGhrM1xwp%22%3E%3Cscript%3Ealert(%27tst%27);%3C/script%3E&category=editorial&play=true%3Cscript%3Ealert(%27tst%27);%3C/script%3E

– NYT

Title says all: “NYTimescom, danger for your browser”.

Link: http://stratusec.com/blog/2009/05/nytimescom-danger-for-your-browser/

– Vimeo (still vulnerable, until the day this article was written).

Link: http://vimeo.com/tag:xss%27;alert(%27xss%27);v=%27

If you wish to see more big portals just take a look at the already mentioned XSSExploits (it posts something new on a daily basis). By the way, we are also present at http://www.twitter.com/nstalker .

Be careful when clicking on something as today it is becoming too difficult to boldly trust any given dominium. Unfortunately, programers are careless in what refers to validation of their programs and thus XSS are becoming a plague. People say XSS is a flaw, others say no – some weeks ago in OWASP Brazil a discussion took place as to whether XSS is a plague or vector (in case you might be interested, our CTO participated in the thread (pt_BR) at https://lists.owasp.org/pipermail/owasp-brazilian/2009-May/000589.html .

Independently of what you think about XSS (Cross Site Scripting), i.e., whether it is a vector or flaw, we would really be pleased to invite you to test N-Stalker to find out if your compamy’s site or application is vulnerable, since, be it bector or vulnerability, your company’s reputation is at stake.

You may as well request na evaluation of our scanning tool through our website at: http://nstalker.com/products/enterprise/request-evaluation .

In case of doubts, please get in touch with our Support Department.

N-Stalker Research Team