{"id":61,"date":"2008-01-18T14:26:39","date_gmt":"2008-01-18T22:26:39","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/01\/18\/define-safe\/"},"modified":"2008-01-18T14:29:26","modified_gmt":"2008-01-18T22:29:26","slug":"define-safe","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/18\/define-safe\/","title":{"rendered":"Define &#8220;Safe&#8221;&#8230;"},"content":{"rendered":"<p>An article in <a href=\"http:\/\/www.informationweek.com\/news\/showArticle.jhtml?articleID=205900444\" title=\"InfoWeek article\">InformationWeek<\/a> yesterday exposes the details of what <a href=\"http:\/\/www.scanalert.com\/\">McAfee&#8217;s ScanAlert<\/a> product actually means by &#8220;Hacker Safe&#8221;.   The ScanAlert product issues certifications that websites are safe from attack.  However XSSed.com, a website dedicated to exposing Cross-Site Scripting attacks, gave InformationWeek a listing of 60+ Hacker Safe websites with open XSS vulnerabilities.  In response to the accusations, ScanAlert representatives assert that ScanAlert certification does not consider XSS vulnerabilities as dangerous.  The reason being the XSS attacks are entirely &#8216;client side&#8217;, meaning they do not allow the hacker access to the server, data, or customer information.<\/p>\n<p><!--more--><\/p>\n<p>The central issue is not whether or not XSS is a &#8220;real&#8221; threat or not, but rather what level of security is considered &#8220;safe&#8221;.  Products like ScanAlert leverage the creditability of trusted names like McAfee and Symanetic to give consumers a (false) sense of security when conducting business online. The fact that nothing is truly secure is one of the primary lessons of basic computer security.  Organizations should not rely on automated tests to feel secure about their sites.  Consumers shouldn&#8217;t trust a site simply because it has a HackerSafe logo stamped on the front.<\/p>\n<p>For a product to write off an entire genre of attacks as harmless and &#8220;client side only&#8221; is a naive assumption.  There is more to attacks then just data vulnerability. XSS attacks can damage site&#8217;s integrity, bypass form validation leading to unpredictable data submission, thieve cookies and other private information from other users and sites, and a plethora of other evil genius attacks that I can&#8217;t even imagine.<\/p>\n<p>Interesting links:<\/p>\n<p><a href=\"http:\/\/www.xssed.com\/\">XSSed.com<\/a><\/p>\n<p><a href=\"http:\/\/holisticinfosec.blogspot.com\/2008\/01\/hacker-safe-not-so-much.html\">Detail of a XSS attack<\/a> by local white-hat Russ McRee<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An article in InformationWeek yesterday exposes the details of what McAfee&#8217;s ScanAlert product actually means by &#8220;Hacker Safe&#8221;. The ScanAlert product issues certifications that websites are safe from attack. However XSSed.com, a website dedicated to exposing Cross-Site Scripting attacks, gave &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/18\/define-safe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":47,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-current-events","category-ethics"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}