While we were drafting a weblog post on XSS and Social Networking sites, our man Miguel pointed us to Netscape.com.



Netscape.com has been hacked via a persistent Cross Site Scripting (XSS) vulnerability in their newly launched Digg-like news service. Attackers (who are obviously fans of Digg) have used the XSS vulnerability to inject their own javascript code snippets into pages on the website, including the homepage. As of now, it has only been used to display javascript alerts with "comical" messages and to redirect visitors to Digg.com!

Check out additional screenshots here and here.

Fortunately no one has tried to inject malcious code... yet.

We'll finish our draft with more on the potential dangers of XSS for you soon.