Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There's no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows:
- I wish the media wouldn't refer to this as "hacking Obama's website" because it's not quite accurate; XSS attacks end users, not the web site itself. Clearly one makes a better headline than the other.
- Can people (that's you, security bloggers) stop saying things like "they should have been filtering inputs?" The most effective way to protect against XSS is HTML entity encoding, NOT input validation. Input validation is great and all -- and please continue to use it in general -- but you're going to miss something.
- Why is anybody surprised about this? Did anybody really think that the Obama (or Clinton, or McCain) campaigns would be spending money on web security testing? I guess they might be from now on...
All quite amusing nonetheless.