hacker safe or hacker unsafe, thats the question

As you might know, Cross-Site-Scripting (aka XSS) is a very evil thing, and can be used for several attacks, like phishing, DDoS, trojan/spyware/malware distribution and <insert evil thingie here>.
Today I've seen a link to http://www.costcentral.com, someone on the thinkpad-mailinglist has posted it. Just for fun I clicked and looked at the item (a ThinkPad USB keyboard). Nothing evil until yet, the link wasn't crafted and the item was okay, but then I discovered this nice "ScanAlert - Hacker Safe" logo (if you clicked the link and wonder why Firefox^WIceweasel does not show anything in the title: the guys forgot the <title>-tag ;-)). You might ask now: "Hacker Safe"? WTF!? (or maybe *ROFL*? I was like o_O).
A sentence from their about-page describes the situation:
"Tens of thousands of organizations from small non-profits to FORTUNE 500 multinationals rely on ScanAlert to protect, audit and certify the security of their networks and ecommerce infrastructure."

They do security? I do too... So let's test ;-)
A click on "hacker safe sites" gave me a list of sites. Uh, did I just read NetGear there? Didn't I have discovered some XSS in there sites a month ago? True, but the link goes to the shop of NetGear, which seems okay on the first view (didn't look another time, there was much more fun later).

So here we have six nice XSS links, two in the newsletter form, four in the search one. How people can still be so stupid?!

yankeecandle.com newsletter XSS
store.babycenter.com search XSS
guitarcenter.com newsletter XSS
fortunoff.com search XSS
bhphotovideo.com search XSS (this one was actually funny, the DID protect the data almost everywhere, but not inside one small javascript -> sucks)
search.pacsun.com search XSS

So what do we have? Six sites with XSS, discovered (instead of doing some university stuff) in about half an hour. And those sites should be hacker safe? Says a company doing its job since 2001? May I just give a loud laugh and go to bed with my girlfriend? Yeah maybe I should, but instead I whine about this poor security on the web of today. Is it InSecurity 2.0?

Guys, please read THIS article about web security at heise.de (sorry, it's in German) or just change the job!


SIYB wrote on 2007-02-01 19:22:

I hope the companies did not pay for that kind of service, that would have been a waste of money :>

Zhenech wrote on 2007-02-01 19:27:

Actually, they DID! I can’t find any pricing-info on the page of ScanAlert, but you can guess it, whi browsing the comments of the custommers:

"HACKER SAFE is a very good investment." or "HACKER SAFE paid for itself in a month."

SIYB wrote on 2007-02-01 19:31:

well they must havea bunch of proper retards in their it devision :>

Send your comments to evgeni+blogcomments@golov.de and I will publish them here (if you want).