Jan. 30, 2010

Posted by in General | No comments

Cross-Site Scripting Pop Quiz

You have ten seconds to spot the problem in the image below. Ready? Go!

Example of ESPN's "Report a Bug" page

I hope you spotted the problem right away, as it’s a classic example of a cross-site scripting hole. The page mentions that the report will reference a particular URI, and that address also appears as a parameter in the page’s URI. As you might guess, the parameter is not being filtered, allowing one to insert any HTML code.

I found it rather ironic that I came across this problem as I was looking for a means to contact ESPN about two other XSS holes. All three issues were reported to ESPN back in late November, then reported again via different means earlier this month. After receiving no response to either report, I decided to go ahead and release this hole publicly.

By the way, I realize some of my posts about XSS issues aren’t directly related to social networking sites and thus diverge from the usual fare on this blog. However, I think they can serve as important lessons for all developers, including those building social networking applications. This sort of vulnerability is exactly the type that leads to FAXX hacks in Facebook applications. And perhaps it will serve as some comfort to smaller developers that even large sites are susceptible to such problems. Anyway, I also think it’s important to record these finds for future reference, and this blog is about the only place I have to do so.


  1. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: Cross-Site Scripting Pop Quiz ...
  2. Most Tweeted Articles by Defcon Experts - [...] Slashdot Technology Story | UK Gov't Says "No Evidence" IE Is Less Secure ...
  3. Tweets that mention Cross-Site Scripting Pop Quiz | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by Lenny Zeltser, Bill Gardner, securityninja, ghostnomad, ghostnomad and others. ghostnomad said: RT ...

Leave a Reply