Monday, July 2, 2007

MoSEB Showcases Widespread XSS Problem

Via MoSEB Blog -

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Note, that from all search engines vendors only two thanks me (from 19 vendors of 33 search engines), for time that I spent on them, for searching vulnerabilities in their systems and for helping of improvement of their engines’ security (it is Rambler and Ezilon). But all others owners of search engines even didn’t think (were lazy) to do that. That is very unethical from their side and they need to work under their ethic and culture.

------------------------------------------

Combine MoSEB with the XSS found on the CIA FOIA website (released on FD) and the defacement of the Microsoft UK website by SQL injection over the weekend...and you start to see why SQL and XSS are tagged two of the most widespread security issues on the net.

We have alot of work ahead of us...as security professionals.

XSS is the New Buffer Overflow, JavaScript Malware is the new shell code

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)