Aussie anti-terror site suffers glitch

Australia's online anti-terrorism campaign has suffered an embarrassing hiccup, with the new national security Web site vulnerable to low-level cross-site scripting security attacks.

Australia's online anti-terrorism campaign has suffered an embarrassing hiccup, with its new national security Web site being vulnerable to low-level cross-site scripting security attacks.

The Web site provides a single access point for national security information from the Australian government and was launched as a part of a comprehensive public information campaign.

It provides information to Australians about potential terrorist threats, travel advice and the latest news on national security issues, such as the current expansion of Australia's counter-terrorism capabilities.

However, the Web site carries its own vulnerabilities which, while not serious, are undesirable.

Users of the website can write HTML strings directly into the page’s search function. When the results page is returned, the HTML code entered into the search function will be displayed. Most sites prevent this occurence by blocking non-alphabet characters such as " The vulnerability makes it possible to embed images and documents from other sites in the page that is returned to the user.

In the most severe instances, cross-site scripting vulnerabilities make it possible for attackers to craft links to vulnerable sites that look legitimate.

These sites could offer both the legitimate content of the target site, and malicious content such as self-installing Trojan horse programs or misleading information.

It is not known if Australia's national security Web site is vulnerable to these extreme cases, but the mere fact that a cross-site scripting vulnerability exists will surely turn a few faces red at its Attorney General’s (AG) office, who maintain the site.

The AG's office was unavailable for comment at the time of writing.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All