CIA.gov - Deliciously XSS Hackable
Results 1 to 7 of 7

Thread: CIA.gov - Deliciously XSS Hackable

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    CIA.gov - Deliciously XSS Hackable

    Some cross-site scripting fun from our friends in the intelligence gathering biz...

    Look Ma, I'm on CIA.gov - Threat Level, Wired Blogs

    In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

    Most are run-of-the-mill and hardly worth writing about, but reader HS writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.
    Be sure to override your browser's XSS protection to view the example.

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OMG!.................. my little nephew was on their site only a few days ago............ hmmm.......... he then went to the FBI site

    Hell, a pity I didn't think that he might be interested in the IRS
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Member
    Join Date
    May 2002
    Posts
    93
    That is delicious!

    This is a great demo for showing the boss/bosses. Nothing like having a tangible example to show in real life.
    Tachyon

    |-----|Alcohol is my anti-drug |-----|

  4. #4
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246
    Agreed Tachyon...

    Pretty benign in this example, but it's a GREAT way to get those doubters to pay attention.

  5. #5
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    769
    Some cross-site scripting fun from our friends in the intelligence gathering biz...

    Look Ma, I'm on CIA.gov

    Be sure to override your browser's XSS protection to view the example.
    I don't understand. Is this correct ---> Their is a vulnerability on the www.cia.gov website? Yes or no? I've had a few drinks this evening so I am a little slow (just be honest here) and question #2

    See whats in bold phernandez, How do I override my browsers XSS protection to view the example? I just want to see the example, judging by nihil reply it must be good, if this seems like a stupid question it probably his however i CANT COMPREHEND IT and this moment care to explain all help is greatly appreciated, btw keep posting this stuff you find very interesting reads in deed. cn22 peace

    ps what is pony is cute?
    Last edited by Computernerd22; April 15th, 2008 at 02:24 AM.

  6. #6
    Senior Member MadBeaver's Avatar
    Join Date
    Jul 2003
    Location
    Bath, Maine
    Posts
    252
    Nice. It took me a second to figure out what was going on, I'm still working on my first cup of coffee.

    Who's got the Cute Pony?
    Mad Beaver

  7. #7
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246
    22,

    IE7 (in my case) will give you a warning, just click through. NoScript on Firefox wouldn't allow me without disabling it.

    In short, it displays the Wired story with the CIA.gov's URL string. Looks obvious in that example, but imagine if someone bothered to craft something a little more official looking...

    Oh, and ponies... not cute: http://youtube.com/watch?v=u-prMb6BdNs

Similar Threads

  1. The Hackable Home Robot
    By Old Man in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: October 29th, 2004, 11:08 PM
  2. PID hackable from an open port?
    By fallenstar in forum Microsoft Security Discussions
    Replies: 3
    Last Post: October 8th, 2002, 12:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •