XSS at Food.gov.uk - disclosed and fixed


A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on "The Unsecured State" - looking at *.gov.uk website security.

I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I'd discovered.

"Oh," I said, "It's pretty easy. Let's take a look at your website. If I were to type some HTML into your search box, you would expect that the site would recognise it as dangerous content and refuse to display it."

A few clicks later...

Food.gov.uk XSS screenshot

"Ah," the FSA lady said, "Let me just make a quick phone call...."

A little while later, it was fixed.

This is not about minor councils and tiny departments. The FSA has a multi-million pound budget and, no doubt, an extensive tender process for its expensive website. How do security flaws like this continue to sneak through?

Is it enough to assume that a large, experienced web designer will be competent?

Should there be standardised products and services used to ensure a bare-minimum level of security?

Does the Government need to produce a thousand page "Compliance And Best Practice" document to ensure every i is crossed and t is dotted?

I honestly don't know the answers to these questions.

Security is like usability - it's not one of those things which can be tacked on at the end of a project once the "real work" is done. It has to permeate every aspect of design and creation.


Share this post on…

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">