I agree...but here comes strike two.
I was happily bouncing about the internet looking for things that should be fixed, when what did I see at Toastmasters International but a McAfee Hacker Safe certificate. Ever the skeptic, I said to myself "Prove it." But, of course, because my white hat and professional values require it, I remembered that first, do no harm are words to live by. But a wee script test in a form field can't hurt, right?
There's video of this here if you prefer.
Let's begin.
Here's the Advanced Search page, note the McAfee Hacker Safe tag in the lower right:
Then, said little test script about to be submitted to the Advanced Search page:
Ruh roh, Rastro. Can you say XSS?
Man, that's not good, so let's try a bit more trickery.
XSSed indeed.
Something tells me the McAfee Hacker Safe service offering would do well to dig a little deeper before certifying a site.
Meanwhile, sanitizing input might not be a bad idea for our Toastmasters friends.
Play nice until Toastmasters gets a chance to fix it, please. I've already let them know.
Cheers.
del.icio.us | digg
1 comment:
Nice findings. I remember last year when Turbotax.com got hack (it wasn't an active hack, someone just stumbled on it by accident filing their taxes), it also had the HackerSafe seal.
Originally I thought ScanAlert was just a wrapper around Nessus, but I think even Nessus would have found this stuff so I guess it isn't using it afterall ;P
Post a Comment