ISC^2/CISSP websites vulnerable to XSS

June 14, 2007

http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0303.html

http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0379.html

http://infosecsellout.blogspot.com/2007/06/cissp-sillyness.html



ISC^2 continues its string of nominations to the Wall O' Irony with these latest gems. Both isc2.com and cissp.com had cross-site scripting vulnerabilities posted to F-D.





[Full-disclosure] CISSP

From: Bozo Bad (bozobad[at]gmail.com)
Date: Mon Jun 18 2007 - 12:37:25 CDT

http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Look,mamma, 
I'm
a CISSP!%22)%3C/script%3E  

[Full-disclosure] Todays Lesson - XSS
From: Concerned CISSP (certifiedcissp[at]hotmail.com)
Date: Thu Jun 14 2007 - 01:35:34 CDT

Today's lesson, boys and girls is on Cross Site Scripting....
 
"An XSS attack relies on a website displaying text with-out checking 
whether it contains special characters. The client browser interprets 
the special characters as script instructions, and executes the 
script..."
 
An example of an XSS attack:
https://www.isc2.org/cgi-bin/cissp_completerecord.cgi?name"><script>alert(document.cookie);</script>&print=cpe
 
Now that you've seen XSS... you can add one CPE to your CISSP record!
 
 
Skinny Mongoose - CISSP
 
shoutz to - $nip3r, P0p3, mkkna$ti..... 

main page ATTRITION feedback