Digg Vulnerable to XSS
Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:
I havent checked to see if the comments or new story submission modules are affected if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.
Update: They fixed it this morning.
Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.
Comments on this weblog
Return to weblogs.oreilly.com.