More Malware? - The Definition of Hacker Safe
(Page 3 of 4 )
According to an article in Information Week, at least “60 Web sites certified to be 'Hacker Safe' by McAffee's ScanAlert service have been vulnerable to cross-site scripting (XSS) attacks over the past year, including the ScanAlert Web site itself.” ScanAlert has since fixed their problem, but other sites are still vulnerable. However, “Joseph Pierini, director of enterprise services for the ScanAlert 'Hacker Safe' program, maintains that XSS vulnerabilities can't be used to hack a server.”
The problem with Pierini's statement arises when you look at how important the database server actually is to a hacker. It would seem that they would still be able to compromise users with XSS while they do business on the site. As long as the user is transferring sensitive information, a “Hacker Safe” server will be of no consequence.
Slowing down for a second, cross-site scripting is when malicious hackers are able to inject code into compromised web applications. If exploited properly by a hacker, they will be able to get around certain access controls like the same origin policy, which makes sure scripts are loaded and modified from the same origin. This can be especially useful for hackers in client-side scripts, because they are more likely to offer a user's sensitive information.
In the article, Oliver Friedrichs, director of Symantec Security Response said that XSS vulnerabilities are dangerous, but they “are site-specific, and therefore their life cycle is limited; they become extinct once they're discovered and repaired by the Web site owners.” The question is, how long will this take? Will ScanAlert notify them or will they have to read it in an article, or worse, hear it from an angry customer?
He also claims that “XSS vulnerabilities aren't material to a site's certification,” but the ScanAlert web site says that it is part of the certification process; these are then exercised in specific ways to disclose any application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection. It seems also that the compromised web sites were found with the most general XSS vulnerabilities, something that ScanAlert should be able to find.
Please keep reading to see why one company thinks ScanAlert's methods, and the methods of companies like them, aren't as effective as they could be.
More Web Hosting News Articles
More By Michael Lowry