The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking. Tom Loosemore@tomskitomskiInteresting new digital stuff emerging from @CitizensAdvice display-screen.cab-alpha.org.uk <-- uncomfortable, messy, visceral reality @mikedixonCAB❤️ 8💬 3🔁 010:03 - Tue 21 October 2014 who supplies my electricity why do some children become looked after will i get back pay on pip Terence Eden is on Mastodon@edentJust saw "What is the pun…
Continue reading →
This is part 2 of a series of blog posts looking at the security of the UK Government's web infrastructure. Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the case. Don't Press This Button Pressing this button will send a POST request to the Department of Education's EduBase website. XSS DemonstrationDemo linkalert('JavaScript XSS');" /> Demonstrate XSS …
Continue reading →
This is part 1 of a series of blog posts looking at the security of the UK Government's web infrastructure. The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people. That's why it's so depressing to see such a basic error as this XSS flaw in their search engine. What Is XSS? Briefly, some websites will let you display or run arbitrary code…
Continue reading →
The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page. Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to enter their passwords - and then send them off to criminals. What's unusual is that it appears to be powered by Google Custom Search - which should really be robust against this source of…
Continue reading →
Ever heard of Mydex? Here's how they describe themselves: Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data. Not just secure, but hyper-secure! They've been signed up by the UK Government to provide Identity Assurance. Pretty impressive, eh? Let's ignore the fact that their website doesn't use SSL and concentrate on …
Continue reading →
