Three major XSS issues in 2016
XSS vulnerability in Yahoo Mail
This year was really interesting in terms of real use-cases. One of the most recent findings was described by Jouko Pynnönen about a stored XSS vulnerability in Yahoo Mail. According to JP’s blog “The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016. Yahoo awarded a bounty of $10,000 for the finding.” In short, an attacker could perform a DOM-based XSS attack via dynamically generated HTML markups controlled by user-supplied values that were not properly sanitized.
Another interesting issue was when the AngularJS team decided to remove their “expression sandbox” from AngularJS 1 after reporting escapes for all AngularJS 1 versions. It’s important to emphasize that this sandbox was never intended to provide real protection against XSS attacks. It rather misled developers who kept relying upon it as a security feature.
Practice with us!
You can see that XSS is still hot and it makes total sense to arm yourself against it. Try your skills again by solving our Avatao XmaSS challenge. Enjoy!
We wish you a Merry Christmas!
Share this post on social media!
We’d also love to hear your thoughts. Leave a comment below if you have any questions or feedback, or let us know what cybersecurity topic you’d like to read about next!
Reading Time: 8 minutes The purpose of this post is to present one of the most popular authorization manager open standards JWT. It goes into depth about what JWT is, how it works, why it is secure, and what the most common security pitfalls are.
Reading Time: 8 minutes Software development and application security go hand-in-hand. We asked the CISO of Skyscanner about this crucial relationship.
Reading Time: 10 minutes Every year, Ruby is becoming more and more popular thanks to its elegance, simplicity, and readability. Security, however, is an issue we can’t afford to neglect.