http://securityratty.com/tag/ciac Tue, 10 Jun 2008 06:21:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/14d768c1277ece67ce8d1db383a0b2a2 http://securityratty.com/article/14d768c1277ece67ce8d1db383a0b2a2 CIAC Technical Bulletin, CIACTech08-003: Understanding Cross-Site Scripting (XSS), is that it should have been released a year ago or more. ;-)
But rather than nitpick, I'd like to applaud.
This is a fine effort, with a number of good resources cited.
You'll find content on the types of cross-site scripting, including DOM, non-persistent, persistent, and CSRF. Additionally, you'll note methods of protection and reference links to content on Htmlspecialchars, Htmlentities, and Giorgio Maone's NoScript.
This is a great starting point for enlightening vendors, developers, and IT folk who may not be as up to speed as you might like on the concerns caused by XSS vulnerabilities.
Given the fact that stories continue to surface on the shortcomings of major security vendors, and their utter lack of diligence with regard to XSS, as well as efforts to further enlighten the masses, this is a valiant effort.
Well done, CIAC.

del.icio.us | digg]]> Tue, 10 Jun 2008 06:21:00 +0000 ciac xss vendors xss vulnerabilities ciac technical bulletin major security vendors stories continue content fine effort CIAC Tech Bulletin on XSS a valuable reference