Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There's no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows:
I wish the media wouldn't refer to this as "hacking Obama's website" because it's not quite accurate; XSS attacks end users, not the web site itself. Clearly one makes a better headline than the other.
Can people (that's you, security bloggers) stop saying things like "they should have been filtering inputs?" The most effective way to protect against XSS is HTML entity encoding, NOT input validation. Input validation is great and all -- and please continue to use it in general -- but you're going to miss something.
Why is anybody surprised about this? Did anybody really think that the Obama (or Clinton, or McCain) campaigns would be spending money on web security testing? I guess they might be from now on...
Chris Eng, vice president of research, is responsible for integrating security expertise into CA Veracode’s technology. In addition to helping define and prioritize the security feature set of the CA Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to CA Veracode.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.