[xssworm.com] Alert : XSS Worms - Cross-Site Scripting and Web 2.0 Application Security Blog

["XSS Worm XSS Security Information Portal" <xssworm () gmail com>]

Greetings To All

We are proud to announce the grand-opening of XSS Worm : Cross Site
Scripting Attacks ™ - http://www.xssworm.com/ - Cross Site Scripting Attacks
: the new site for discussion of XSS (also known as CSS (not to be confused
with Cascading Style Sheets (also sometimes referred to as CSS))
vulnerabilities) security issues in web-enabled networks and dynamic
Internet applications.

XSS - a word commonly used by modern security experts to categorize a wide
range of emerging web-enabled security threats. This unpronounceable word
was once said to derive from the common term "Cross Site Scripting" (the
leading X in this instance perhaps alluding to the Cross of the popular
novel.) Yes friends our Web sites are being more complicated from day to
day; and the web sites which has been produced by html is decreasing on the
net. The popular ones are php;asp;jsp and other technologies and with this
increasing the attacks are being more dangerous.

It's very common and unfortunately still an issue we have to deal with in
many web-aware applications. Internally the XSS WORM Team has been working
on several XSS Security projects to help mitigate and fix these security
issues, as well as to detect them in the code sources that are available
online so that they can be fixed a worm is developed.

According to a new study, up to over *90% of all (100%) web sites* may be
vulnerable to some form of security attack.

Prominent Jeremiah Grossman of WhiteHat Security (whitehat.com) — the Web
applications security founded by vulnerability scanning whiz Jeremiah
Grossman — concludes that as many as 90 percent of all the sites that it has
tested in the last year remain open to some form of hijack or infection.

The leading problem remains many sites' vulnerability to cross-site
scripting (XSS) hacks, through which attackers place malicious code on
legitimate sites to trick end users into handing over their personal
information or passwords.

As many as 75 percent of the pages scanned by WhiteHat had some form of
XSS-exploitable flaw, according to the paper. But it's not only XSS Worms
that application developers have to be conerned about - according to
Whitehat, Cross Request Forgery attacks are emerging as the "new .. [xss] "
and hackers are scrambling to update their virus engines.

"The best way to think about Response Splitting is that it's executed
similarly to Cross-Site Scripting (XSS) … *but more powerful*."  -- Jeremiah
Grossman

As in the rest of the online world, however, WhiteHat contends that XSS
threats top the list of vulnerability classes by vertical, followed closely
by Information Leakage.

"These statistics continue to reveal recurring and emerging issues that are
affecting Web sites across industries," said Grossman, who wears the title
of CTO at WhiteHat. "As increasing amounts of sensitive data are stored
online, WhiteHat remains vigilant about alerting companies to common attack
methods and emphasizing the importance of Web site vulnerability management
as part of their overall security posture."

The original security article source can be located at
http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html

This is our introduction for the newest premium security information service
XSSworm.com : cross-site scripting attacks - we will be posting news and
updates on these topics and we welcome all of your comments on the topics of
Web 2.0 Security, Cross-Site Scripting, XSS Worms, XSRF Worms, Digg and
Social Networking worms, Youtube worms, Facebook worms, Web 2.0 Security and
XML and so much more.

Please pay our XSS page a visit and leave your comments! - only the most
relevant XSS security news and tools and comments only - no spam please your
blackhat SEO <http://xssworm.com/?&seo=blackhat> tricks is not welcome here.

This email has been cross-posted for discussion on our XSS Security
Discussion Forum board: http://tiniuri.com/f/n7 - replies welcome on list or
on site. Thanks.

Regards

The XSSWorm . Com Security Team.

------
Francesco Vaj
CSS Security Researcher -- XSSworm.com
mailto:vaj () nospam xssworm com
Aim: XSS Cross Site
http://www.XSSworm.com - Cross Site Scripting Attacks
Web 2.0 Application Security Information Blog 2007 <http://xssworm.com>

"Vaj, bella vaj."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/