« Papa John’s Pizza’s Corporate E-mails Still Exposed (thanks Google) | Main | Fireworks @ Post Oak, Houston, TX »

Digg Vulnerable to XSS

While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:

http://digg.com/search?search=%3Cscript%3Ealert%28%27vulnerable%20to%20xss%27%29%3B%3C%2F
script%3E&submit=Submit

I haven’t checked to see if the comments or new story submission modules are affected – if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.

Update: They fixed it this morning.

Posted by Nitesh Dhanjani on November 23, 2005 8:58 PM |

Search


About

This page contains a single entry from the blog posted on November 23, 2005 8:58 PM.

The previous post in this blog was Papa John’s Pizza’s Corporate E-mails Still Exposed (thanks Google).

The next post in this blog is Fireworks @ Post Oak, Houston, TX.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.35