Diego Betto | web, development & blog

What is a XSS attack?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

source Wikipedia

If you use Thunderbird and plugins like Enigmail you have the option to import all PGP keys related to email addresses that are present in your address book.

First of all you need is to specify a key server, like pgp.mit.edu, then the plugin, for every single email address, will look for corresponding PGP key and will prompt you if you want to import results.

But, some times, the key is not what you’ll expect.

Some entries contains invalid data, and to be more specific, can contain malicious code.

If you request these entries in the lookup form, the output html can contain this code and execute javascript functions, redirects, XSS attacks, ecc.

In conclusion

Keep your eyes open, and avoid mass import of PGP keys.

2017-08-01: reported to bug-pks@mit.edu

Diego Betto in Security | 1 agosto 2017

XSS scripting and pgp.mit.edu

What is a XSS attack?

In conclusion

JS/CSS Moon Phases snippet

Yii2 AssetBundle versioning

Software nello sviluppo web (e dintorni)