Digg Vulnerable to XSS

		Print
		Email weblog link
		Discuss
		Blog this

Nitesh Dhanjani
Nov. 23, 2005 09:26 PM
Permalink

While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:

http://digg.com/search?search=%3Cscript%3Ealert%28%27vulnerable%20to%20xss%27%29%3B%3C%2Fscript%3E&submit=Submit

I haven’t checked to see if the comments or new story submission modules are affected – if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.

Update: They fixed it this morning.

Nitesh Dhanjani is a well known security researcher, author, and speaker.

Comment on this weblog
You must be logged in to the O'Reilly Network to post a comment.

Return to weblogs.oreilly.com.

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

This work is licensed under a Creative Commons License.

	The Angle Bracket Tax or YAML/Developer Blinders?
	Bad XML
	What's the "Linux Tax" Worth to You?
	My Annual Plea for Microsoft to Open Source Windows 98SE
	A loose end: Votes versus GDP

Digg Vulnerable to XSS

Search ONLamp

On the Blogs

Sponsored Resources