In association with heise online

04 May 2010, 10:24

UK Cyber Security Challenge holed before launch

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In the autumn the Cyber Security Challenge UK web site will allow candidates to register to participate in a programme designed to identify and nurture the future cyber security workforce. Unfortunately the site was found to have an embarrassing XSS vulnerability, just days after launching at InfoSecurity Europe. According to a report by Netcraft it was possible to inject JavaScript into the site's title and h2 elements by appending the injected code to the site's URL.

James Wheare, web developer, explained that after being told there was an XSS (Cross Site Scripting) vulnerability on the site all he did was append text to a URL for the site to see if it appeared in the page. This text was used by the site to populate the title or h2 elements in the page and was not sufficiently encoded so as to make it safe, allowing for <script> tags and JavaScript code to be injected into the site's pages. This particular hole is not believed to have been part of the security challenge and now appears to be closed, but it does demonstrate that anyone can make a simple coding error that is enough to make a site vulnerable to XSS attacks; a valuable lesson.

The Cyber Security Challenge UK site is part of an initiative sponsored by the UK Government's Office of Cyber Security, SANS institute, the Institute of Information Security Professionals, QinetiQ Consulting and Dtex Systems.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit