Cross-site scripting flaws can’t be swept under the carpet

So says Rob Rachwald, director of product marketing at application vulnerability specialist Fortify. “A report out this week from security watchdog XSSed has identified no less than 30 cross-site scripting flaws across the sites of McAfee, Symantec and Verisign,” he says. “The flaws are notable, as they can be used to engineer frauds and malware infections on site visitors’ PCs,” he adds. He also makes the point that, since these flaws have been discovered on IT security vendors’ sites, there’s a very strong chance that similar flaws exist on many other companies portals. Rachwald believes the security industry has been playing down cross-site scripting flaws, and that XSSed’s report indicates the true scale of the problem. “Failure to address this problem in a timely manner could see a recurrence of major site hacks using XSS flaws seen on the likes of MySpace and Paypal,” he insists.