This is cache of http://www.veracode.com/blog/?p=89. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Obama XSS Silliness
2008-04-22 15:04:10 by Chris Eng in Zero in a bit
 

Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There’s no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows:

  • I wish the media wouldn’t refer to this as “hacking Obama’s website” because it’s not quite accurate; XSS attacks end users, not the web site itself. Clearly one makes a better headline.
  • Can people (that’s you, security bloggers) stop saying things like “they should have been filtering inputs?” The most effective way to protect against XSS is HTML entity encoding, NOT input validation. Input validation is great and all — and please continue to use it in general — but you’re going to miss something.
  • Why is anybody surprised about this? Did anybody really think that the Obama (or Clinton, or McCain) campaigns would be spending money on web security testing? I guess they might be from now on…

All quite amusing nonetheless.

 
Tags: xss, obama, xss attacks, barack obama campaign, input validation, website, xss vulnerabilities, obamas website, web security
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia