Plip's Weblog

Phil Winstanley - British .NET chap based in Lancashire. Enjoys tea and tech. Working for Microsoft.

Cross site scripting - LOVEFiLM

It still worries me that so many sites are still vulnerable to cross site scripting attacks!

I use an online DVD rental service and today I needed to go and discover my password, only to be presented with a screen which took querstring values and directly places them onto the page.

What's worse is this page is running on a https connection meaning users could be lulled into a viciously false sense of security.

https://www.lovefilm.com/visitor/login.html?validation_error=<script>alert('This%20is%20a%20malicious%20script%20injection,%20potentially.')</script>

Posted: Feb 24 2007, 03:44 PM by Plip | with 1 comment(s)
Filed under: ,

Comments

CumpsD said:

Just mentioning that weblogs.asp.net allows HTML input for your posts as well ;)

Which sadly enough gives a nice javascript alert when viewing your post.

# February 24, 2007 11:21 AM