XSS at Food.gov.uk – disclosed and fixed

by @edent | # # | Read ~423 times.

A few months ago, I was attending the National Hack The Government event. I was showing off some of the work I had been doing on “The Unsecured State” – looking at *.gov.uk website security.

I was chatting to an envoy from the Food Standards Agency who was eager to hear more about what I’d discovered.

“Oh,” I said, “It’s pretty easy. Let’s take a look at your website. If I were to type some HTML into your search box, you would expect that the site would recognise it as dangerous content and refuse to display it.”

A few clicks later…

Food.gov.uk XSS screenshot

“Ah,” the FSA lady said, “Let me just make a quick phone call….”

A little while later, it was fixed.

This is not about minor councils and tiny departments. The FSA has a multi-million pound budget and, no doubt, an extensive tender process for its expensive website. How do security flaws like this continue to sneak through?

Is it enough to assume that a large, experienced web designer will be competent?

Should there be standardised products and services used to ensure a bare-minimum level of security?

Does the Government need to produce a thousand page “Compliance And Best Practice” document to ensure every i is crossed and t is dotted?

I honestly don’t know the answers to these questions.

Security is like usability – it’s not one of those things which can be tacked on at the end of a project once the “real work” is done. It has to permeate every aspect of design and creation.

Leave a Reply

Your email address will not be published. Required fields are marked *