List of web sites vulnerable to XSS

Some time ago there was some proof of that Google had indexed an XSS-link pointing to the web site of FBI. (screendump).

Just as expected the threats of cross-site-scripting is now growing and ha.ckers.org writes about a german site which provides a top-list of web sites vulnerable to XSS-attacks.

As I understand it the list is quite useful for "black-hat"-optimizers which can use the vulnerabilities to inject their own code in the url:s, and in this way include their own portions of links and key words. To spam the SERPS in other words. Next to each site in the list there are PR-values so that they easily can choose which target might be rewarding.

The list is mostly featuring german adresses but there is also a danish web shop included. No Swedish adresses this far. That the well known sequrity company Verisign is on top of the list is rather alarming. The XSS-vector of this site I have not been able to try out since you have to contact the owners of the site for access.

But many of the security holes do work and the developers of the site provides examples with messages about their services – they offer advice on how to solve the issues.

Since XSS-code is normal Javascript it is very hard to distinguish evil code from the ordinary. Every piece of script can be written with a great number of variation with for example the use of hexdecimal characters.

As long as the search engines continue to index these highjacked urls the problems will continue. There are not many site owners that are aware of these new type of attacks. The risk of being shut out of the search engines result is big if you got an vulnerability of this sort. A bad guy can start using them to distribute their own content that seems like it's coming from your domain.