Symantec Website Vulnerable to XSS


Martin Hill

I saw a post by d3v1l of where he posts a discovery of a cross site scripting issue on the Symantec site.

I remembered that I had found a similar issue a while back and hadn't got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.

And with that I give you a new Symantec XSS bug.

Notes about the bug are as follows.

the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.

main page ATTRITION feedback