A new type of cross-site scripting (XSS) attack that exploits commonly used
network administration tools could be putting users' data at risk, a researcher
Tyler Reguly, lead security research engineer at nCircle, today published a
white paper outlining a new category of attack called "meta-information XSS" (miXSS),
which works differently than other forms of the popular attack method -- and
could be difficult to detect.
"Think about those network administration utilities that so many webmasters
and SMB administrators rely on -- tools that perform a whois lookup, resolve DNS
records, or simply query the headers of a Web server," the white paper states. "They're
taking the meta-information provided by various services and displaying it
within the rendered Website.
"These Web-based services introduce a class of XSS that can't be captured by
the current categories."