In association with heise online

01 May 2008, 14:11

London mayoral candidate web sites open to XSS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Penetration testers SecureTest have found that the campaign web sites of both leading candidates in today's London mayoral election could be attacked using cross site scripting (XSS). At the time of publication, the hole had been fixed in Boris Johnson's site, but not Ken Livingstone's.

An example link was provided by SecureTest.

The vulnerability stems from failure to santitise user input to the site's registration form. User input – in this case an HTML iframe tag pair containing a link to the injected content – is echoed in its entirity, allowing any content to be added to the page at will via a manipulated link.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit