Cross site scripting - LOVEFiLM

It still worries me that so many sites are still vulnerable to cross site scripting attacks!

I use an online DVD rental service and today I needed to go and discover my password, only to be presented with a screen which took querstring values and directly places them onto the page.

What's worse is this page is running on a https connection meaning users could be lulled into a viciously false sense of security.

https://www.lovefilm.com/visitor/login.html?validation_error=<script>alert('This%20is%20a%20malicious%20script%20injection,%20potentially.')</script>

Published Saturday, February 24, 2007 3:44 PM by Plip

Filed under: Community News, Security

Comments

# re: Cross site scripting - LOVEFiLM

Saturday, February 24, 2007 11:21 AM by CumpsD

Just mentioning that weblogs.asp.net allows HTML input for your posts as well ;)

Which sadly enough gives a nice javascript alert when viewing your post.

Title (required)
Name (required)
Your URL (optional)
Comments (required)
Remember Me?

Plip's Weblog

Search

Tags

Navigation

Archives