Australian education websites are among those included on a list of sites vulnerable to cross-site scripting attacks.
The list of URLs, which first appeared on The Hacker News, shows 20 websites that fail to sanitise search terms entered into the search bar. This sanitisation stops hackers entering code that forces a site's server to return content from outside the site. The hacker responsible for the list, who goes by the alias "InvectuS", demonstrates the flaw on each of the sites by providing a link on his post to the sites' search page displaying a third-party hosted image that contains the Pakistan flag and a warning to learn security or "die trying".
(Screenshots by Michael Lee/ZDNet Australia)
The list includes several US universities and government agencies, and even the US McDonald's site, but also contains the TAFE NSW and NSW Public Schools websites. At the time of writing, several sites had fixed the issue, but the Australian sites still remained vulnerable.
While the cross-site scripting vulnerability doesn't result in the sites remaining defaced, it could be used as a stepping stone to exploiting other security flaws that may exist on the site, or to conduct phishing attacks against other users that expect to trust content on the site.
In July, similar cross-site scripting flaws in Skype meant that users could be directed to any website from within the Skype client, and in April last year, flaws in Atlassian's software resulted in Apache Software Foundation's developers losing their passwords.