Over the holiday weekend YouTube users fell victim to a series of coordinated attacks by a team of black hat users. Their antics ranged from redirecting unsuspecting YouTubers onto malware sites to plaguing them with pop-up ads for adult Websites. The group used a little-known weakness in YouTube’s comment field to place poisoned HTML tags that caused the pop-ups to appear uncontrollably, eventually forcing Google (YouTube’s owner) to step in and shut down the comment features and other aspects of the site.
Allegedly, the attack was coordinated by an online team of pranksters known as the 4chan (pronounced Fortune). The group used a flaw in YouTube’s comment box that normally restricts the amount of HTML allowed, by simply adding additional script tags. Usually when these tags are used, YouTube denies the entry of script tags but 4chan members discovered that by adding, repeat secondary script tags that only the first ones were stripped out leaving the secondary tags intact and thus allowing the hackers to do their worst to viewers of YouTube’s most popular videos.
Over the past year, SearchSoftwareQuality has featured a number of tips designed to help enterprises test and prevent defects related to cross-site scripting (XSS) vulnerabilities. These tips describe professional ways to shut down and secure potential XSS problems from Internet hackers. Using these tips will help secure your enterprise applications from similar attacks and prevent online mischief as XSS vulnerabilities truly are realistic problems.
XSS testing and prevention tips
Cross-site scripting (XSS) explanation
Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key.
Beating software’s cross-site scripting, authentication problems
Web security expert explains where security efforts are best placed. By checking for cross-site scripting and authentication mechanism weaknesses you can eliminate problems in your application.
Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test for it. An expert sheds light on the history of XSS issues and recommends tools to prevent XSS application issues.