Last week there was an attack on YouTube and I know that it was due to some HTML vulnerabilities on the site. But, I didn't get the chance to go through the complete details. Here is an insight into the actual attack.
The attack is a very simple one. It is just an exploitation of XSS vulnerability on the site - Improper HTML / JavaScript sanitation. Users can add comments to any video on YouTube and someone had added <script> followed by some JavaScript code. Though the YouTube staffs are cleaning up the <script> tag, the code following the <script> tag had been missed out. So, whenever user adds a comment with some JavaScript code embedded inside a <script> tag, only the tag will be removed and not the actual code. Also, only the first <script> tag was cleaned up. Soon after this news broke out, bad guys on the web added crazy comments to some of the popular videos. Google had acted immediately to fix this and removed all the comments with JavaScript code. It is a simple attack but could do a lot of damage. Be careful when you are developing your web applications.
How can I secure my site?
To secure your site, you must learn about the different web application exploits and try them out on a virtual environment. Here are two awesome projects to help you learn about web security defenses - 1. Web goat project. 2. Google labs Gruyere
-- Varun
No comments:
Post a Comment