This is part 2 of a series of blog posts looking at the security of the UK Government's web infrastructure. Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the case. Don't Press This Button Pressing this button will send a POST request to the Department of Education's EduBase website. XSS DemonstrationDemo linkalert('JavaScript XSS');" /> Demonstrate XSS …
Continue reading →
This is part 1 of a series of blog posts looking at the security of the UK Government's web infrastructure. The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people. That's why it's so depressing to see such a basic error as this XSS flaw in their search engine. What Is XSS? Briefly, some websites will let you display or run arbitrary code…
Continue reading →
I'm really late to the party on this one - so this blog post is mostly an aide-mémoire. The web is built on three fundamental components: HTML - the structure of the page. CSS - how the page is styled. JavaScript - the interactivity. Typically, the website owner sets up the CSS to say links are blue, headlines are big, images have borders etc. etc. Users, however, can over-ride these styles using their own CSS. For example, a person with poor vision may decided to pump up all …
Continue reading →
