Archive: 2008-05

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to make life easier can actually be exploited to expand the impact of a cross-site scripting attack. Single sign-on is an access-control technology that enables a user to login once and gain access to multiple systems. Some websites use single sign-on to allow access to multiple applications. While this type of authentication is convenient, it has the side effect of introducing an opportunity for an attacker to gain access to multiple systems by targeting a single vulnerable application.