Funny incident regarding XSS vulnerability

Written by DP and KF

Tuesday, 6 November 2007

Prevx has this slogan: "We detect the threats that others miss". They state on their blog that received an unsolicited e-mail from us "raising the possibility that a querystring parameter could be exploited to launch a malicious script by the caller to the download page."

We never sent any e-mail! The only thing that we did was to validate the submitted cross-site scripting vulnerability affecting The discoverer of the XSS is security0x00. All the XSS vulnerable websites are saved automatically by a bot and verified with our browsers.


According to their blog post they were unable to replicate the XSS but managed to secure the validation of input on that particular page to avoid the example method quoted by us.

What a nonsense statement! It is like saying: "The XSS wasn't working but we fixed it to avoid that it works".

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.