CIA.gov - Deliciously XSS Hackable

Printable View

April 14th, 2008, 09:32 PM
phernandez

CIA.gov - Deliciously XSS Hackable

Some cross-site scripting fun from our friends in the intelligence gathering biz...

Look Ma, I'm on CIA.gov - Threat Level, Wired Blogs

Quote:

In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader HS writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.

Be sure to override your browser's XSS protection to view the example.
April 14th, 2008, 09:41 PM
nihil

OMG!.................. my little nephew was on their site only a few days ago............ hmmm.......... he then went to the FBI site :lildevil:

Hell, a pity I didn't think that he might be interested in the IRS :xbones:
April 14th, 2008, 10:01 PM
Tachyon

That is delicious!

This is a great demo for showing the boss/bosses. Nothing like having a tangible example to show in real life.
April 14th, 2008, 10:44 PM
phernandez

Agreed Tachyon...

Pretty benign in this example, but it's a GREAT way to get those doubters to pay attention.
April 15th, 2008, 01:20 AM
Computernerd22

Quote:

Some cross-site scripting fun from our friends in the intelligence gathering biz...

Look Ma, I'm on CIA.gov

Be sure to override your browser's XSS protection to view the example.

I don't understand. Is this correct ---> Their is a vulnerability on the www.cia.gov website? Yes or no? I've had a few drinks this evening so I am a little slow (just be honest here) and question #2

See whats in bold phernandez, How do I override my browsers XSS protection to view the example? I just want to see the example, judging by nihil reply it must be good, if this seems like a stupid question it probably his however i CANT COMPREHEND IT and this moment care to explain all help is greatly appreciated, btw keep posting this stuff you find very interesting reads in deed. cn22 peace

ps what is pony is cute?
April 15th, 2008, 11:58 AM
MadBeaver

Nice. It took me a second to figure out what was going on, I'm still working on my first cup of coffee.

Who's got the Cute Pony?
April 15th, 2008, 02:02 PM
phernandez

22,

IE7 (in my case) will give you a warning, just click through. NoScript on Firefox wouldn't allow me without disabling it.

In short, it displays the Wired story with the CIA.gov's URL string. Looks obvious in that example, but imagine if someone bothered to craft something a little more official looking...

Oh, and ponies... not cute: http://youtube.com/watch?v=u-prMb6BdNs