Insecure Times: March 2009

Friday, March 27, 2009

XSS in NSA's website

################################
# Website: http://www.nsa.gov
# National "Security" Agency - oh really ?!
# Bug: XSS
# Date: 27.03.09
##############################

Vuln URL: hxxp://www.nsa.gov

Click for the XSS demo

Fix input validation in your page... Please be true to your THREE Letter acronym ;)

Cheers :)
Kish

Fixed again... Good job AVG, ESET

AVG and ESET have fixed their respective XSS vulnerabilities, and it is good !

Full disclosure - We believe in it !

Cheers!

Wednesday, March 11, 2009

Advisory updates: Q1 2009 and a few more ...

Advisory updates, First Quarter, 2009, and a few from 2008.

DMOZ search's xss was found 2 months back... and NASA's XSS at Goddard space flight center, was exactly a month ago...

The other findings, from Myspace, AVG antivirus, and ESET antivirus websites, are also not fixed ... considering that these websites have a good user base, and are expected to fix quickly.

HSBC haven't fixed their bug just yet ... but it is obvious, they're a bank and they want money... not security ;)

The Indian government website, has removed the page having input sanitization problems, instead of fixing it... still not bad ... they've taken some measures to stay at bay ...

Cheers :)
Kish

Monday, March 9, 2009

XSS in AVG website

#########################################
# Website: http://www.avg.com
# Bug: XSS
# Date: 09.03.09
########################################

Vuln URL: hxxp://www.avg.com

Screenshot

Click here for the demo

The AV vendors have failed to secure their websites, and their saga of web bugs, ranging from sql injection, earlier demonstrated by Romanian hackers, to the XSS bugs we're demonstrating will continue...

Fix input validation in your pages, the page affected is their "license" page...

Cheers :)
Kish

XSS in Myspace

#########################################
# Website: http://www.myspace.com
# Bug: XSS
# Date: 09.03.09
########################################

Vuln URL: hxxp://www.myspace.com/Modules/PostTo/Pages/DefaultV1.aspx

Screenshot

Click here for XSS demo

Fix input validation in the page, social networks are my turf !

Cheers :)
Kish

Wednesday, March 4, 2009

XSS in ESET website

#########################################
# Website: http://www.eset.com
# Bug: XSS
# Date: 04.03.09
########################################

Vulnerable URL: hxxp://kb.eset.com

Click here for the demo

Fix input validation in the page, antivirus vendors are supposed to be careful, atleast, I thought so !

This is a special advisory, Dedicated to Digi (Crimemachine,Founder), my very good friend, and fellow hacker, who is an ardent supporter of ESET products, the antivirus especially, for the heur et al.

Cheers :)
Kish

Insecure Times