back to article MoD website outflanked by XSS flaws

Hackers have discovered cross-site scripting (XSS) vulnerabilities on the UK's Ministry of Defence website. The security shortcomings create a means for miscreants or pranksters to present content from a website under their control in a pop-up window that appears to come from the MoD. This class of flaw is very serious on …


This topic is closed for new posts.
  1. Anonymous Coward

    so what?

    As long as the website only hosts publicly available information anyway, I'd probably rather my taxpayers money was spent on real MOD stuff than messing around with my website on an almost constant basis to keep the script kiddies at bay.

  2. northern monkey

    Good to see they've done absolutely nothing.. fix them so far. Not even a takedown.

  3. nick perry


    Darling: What the general means, Blackadder, is: There's a leak.

    Melchett: Now `leak' is a positively disgusting word.

    Darling: The Germans seem to be able to anticipate our every move. We send up

    an aeroplane, there's a Jerry squadron parked behind the nearest

    cloud; we move troops to (??), the Germans have bought the

    whole town's supply of lavatory paper. In short: A German spy is

    giving away every one of our battle plans.

    Melchett: You look surprised, Blackadder.

    Edmund: I certainly am, sir. I didn't realise we had any battle plans.

    Melchett: Well, of course we have! How else do you think the battles are


    Edmund: Our battles are directed, sir?

    Melchett: Well, of course they are, Blackadder -- directed according to the

    Grand Plan.

    Edmund: Would that be the plan to continue with total slaughter until every-

    one's dead except Field Marshal Haig, Lady Haig and their tortoise,


    Melchett: Great Scott! (stands) Even you know it! Guard! Guard! Bolt all the

    doors; hammer large pieces of crooked wood against all the windows!

    This security leak is far worse than we'd imagined!

  4. Anonymous Coward

    re: so what?

    Cost to fix - few thousand for competent web developer - should be a few thousand pounds (though with MoD centralised IT support track record probably a few million)

    cost to do real MOD stuff - billions

    cost for someone to make it appear MoD supports whatever cause we'd rather they didn't - as the advert says priceless

  5. Chris Miller

    Nothing to see here ...

    It's rare to come across a web site (more complex than a single,static page) that *doesn't* contain XSS vulnerabilities. As the article says, for a bank this can be a major security issue since a pop-up could be used to capture identification details (and, as a result, the banks now do a pretty good job of maintaining XSS-free sites) - for a site that requires you to register in order to download marketing bumf, not so much.

    Since 'Secret' info should not be held on systems that have Internet connectivity, I'm with the 10:57 post above - a slight embarrassment for the MoD, but not a top priority to fix.

  6. Pete 8



    Just kidding :-)

    Carry on fighting for whatever it was you were fighting for which has gone.

  7. Chris Miller
    Thumb Down

    @AC 11:33

    Cost to fix an individual instance - trivial. Cost to fix an entire web site with thousands of badly written, badly structured, badly documented pages (that'll be most of them, then!) - considerably more.

  8. Anonymous Coward


    ##Cost to fix - few thousand for competent web developer - should be a few thousand pounds (though with MoD centralised IT support track record probably a few million)##

    A few K to fix XSS? WOW

    Shit like that is easy to fix. Just gotta have content filtering.

  9. Chris Miller


    Content filtering will work - just enable urlscan if you're running IIS (I bet the MoD is). This can be an effective solution if you're expecting a few thousand hits a day, but if you're getting thousands of hits a minute a little more thought may be needed ...

  10. Elmer Phud
    Big Brother

    MoD response?

    Rather than saying 'Oops, we screwed up. thanks guys.' The MoD is more likley to bleat on about hackers and criminals etc.

  11. Stevie


    "Click here to receive FREE tomerhork cruze missile".

  12. not.known@this.address

    101 things to do as an Evil Overlord

    No. 348756839465906: Must remember not to post "Top Secret Plans For World Domination" as a popup...

  13. I didn't do IT.

    I went to the MoD site and all I got was...

    What I found on the contractor's swap (popup) page:

    Stephen Kring's Tommyhawkers cruise missile - Clean PVC shell, Original Estes motor(s)! Nightmares extra.

    Chefton MBT - Slightly munched on right side, still little over 142.5 stone. Must pickup in Man.

    Beagle Coms system - OEM, real thing; Troops don't want'em! Paypal only.

  14. OrderZero
    Thumb Down

    Are you serious...

    I figured someone posting about this would know more about these kind of flaws..this is harmless. What you're thinking of are things like forums, blogs, etc. where the xss code is stored and echo'd everytime someone views the page. In this case you might aswell go into your browser and type javascript:alert('hack'); because this is temporary it's only echo'd to the user who types in the arbitrary code no one else.

    Please next time before instilling fear into people do research on what you're showing them.

This topic is closed for new posts.

Other stories you might like