Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

SPI to Show XSS Attack

ATLANTA -- S.P.I. Dynamics, Inc. (http://www.spidynamics.com), the expert in Web application security, today announced the company's renowned R&D team, SPI Labs, has discovered a technique to scan a network, fingerprint all the Web-enabled devices found,
and send attacks or commands to those devices.

This technique can scan networks protected behind firewalls such as
corporate networks. All the code to do this is written in JavaScript and
uses parts of the standard that are almost ten years old. Accordingly, the
code can execute in nearly any Web browser on nearly any platform when a
user opens a Webpage that contains the JavaScript. Since this is not
exploiting any browser bug or vulnerability, there is no patch or defense
for the end user other than turning off JavaScript support in the browser.

The code can be part of a Cross-Site Scripting (XSS) attack payload,
thereby increasing the potential damage caused by XSS. These
vulnerabilities are extremely common and large companies like MySpace.com
and Yahoo.com have had high-profile XSS attacks that affected millions of
users in the past year.

"Web application vulnerabilities, particularly cross-site scripting,
are most frequently viewed by security professionals as a nuisance.
However, SPI Labs has been closely tracking the escalating damage that
these vulnerabilities can cause as they become mainstream," said Billy
Hoffman, Lead Research Engineer, SPI Labs. "This potentially devastating
JavaScript attack, along with the growing exploitation of Cross-Site
Scripting, demonstrates that these vulnerabilities should no longer be last
in line to be addressed. There is no such thing as a harmless XSS
vulnerability."

S.P.I. Dynamics Inc.