Research

Staying one step ahead of the ever changing threat landscape is a strategic imperative for Veracode. Whether it’s desktop apps, web apps or mobile, we’re constantly looking for software vulnerabilities. If we discover something interesting this is where you’ll read about it.

Obama XSS Silliness

Posted by Chris Eng in RESEARCH, April 22, 2008 | Comments (4)  

Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There’s no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows:

  • I wish the media wouldn’t refer to this as “hacking Obama’s website” because it’s not quite accurate; XSS attacks end users, not the web site itself. Clearly one makes a better headline than the other.
  • Can people (that’s you, security bloggers) stop saying things like “they should have been filtering inputs?” The most effective way to protect against XSS is HTML entity encoding, NOT input validation. Input validation is great and all — and please continue to use it in general — but you’re going to miss something.
  • Why is anybody surprised about this? Did anybody really think that the Obama (or Clinton, or McCain) campaigns would be spending money on web security testing? I guess they might be from now on…

All quite amusing nonetheless.

4 Comments »

[...] Zero in a bit wrote an interesting post today on Obama XSS SillinessHere’s a quick excerpt Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There’s no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows: I wish the media wouldn’t refer to this as “hacking Obama’s website” because it’s not quite accurate; XSS attacks end users, not the web site itself. Clearly one makes a better headline. Can people (that’s you, secur [...]

Pingback by Obama » Obama XSS Silliness — April 22, 2008 @ 12:17 pm

[...] on the web, despite it being one of the simplest to mitigate against.  As the guys as Veracode point out, and the guidance from OWASP, it’s not all about input validation (although [...]

Pingback by The State of Web Security | Mike Andrews — May 20, 2008 @ 6:45 pm

Now this is what I always say to people and do in my code! Great thing I found this, probably another favorite rss feed to my collection.

Comment by Marius — May 23, 2008 @ 7:21 am

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress