DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

[InfoSec News <alerts () infosecnews org>]

http://www.infosecnews.org/dod-8570-1-infosec-training-and-compliance-vendors-vulnerable-to-xss/

By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014

XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec 
Institute and the EC-Council are vulnerable to a Cross-site scripting 
(XSS) attack.

Cross-Site Scripting (XSS) inserts specially crafted data into existing 
applications through Web sites. XSS attacks occur when an attacker uses a 
web application to send malicious code, generally in the form of a 
modification to a browser script, to a different end user. XSS attacks 
often lead to bypass of access controls, unauthorized access, and 
disclosure of privileged or confidential information. Cross-site scripting 
attacks are listed as the number three vulnerability on the OWASP Top 10 
list for 2013.

According to XSSposed, the InfoSec Institute has not one, two, three, 
four, five, six, but SEVEN XSS vulnerabilities discovered this week. This 
most recent XSS vulnerability to the EC-Council is to their portal page 
where their customers sign in. This is not the only XSS vulnerability to 
their site, The Hacker News reported one back in 2011 and Rafay Baloch and 
Deepanker Arora discovered another in 2013.

In a previous Web defacement statement the "EC-Council takes the privacy 
and confidentiality of their customers very seriously." Regardless, the 
EC-Council Web site was compromised three times during a single week in 
February 2014. Since the breach, EC Council has neither confirmed nor 
denied allegations that the attacker exfiltrated thousands of passports, 
drivers. licenses, government and military Common Access Cards (CACs).

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/