XSS vulnerabilities occur when a web application uses input from a user within the output it generates without validating or encoding it.<\/p>\n
An XSS attack is a type of injection, and may be used to send a malicious script to a user whose browser has no way to determine that the script should not be trusted.<\/p>\n
In this way, attackers can access cookies, session tokens, or other sensitive information retained by the browser and used with that site.<\/p>\n
Prominent SA websites exposed<\/h3>\n![\"E-commerce](\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/07\/E-commerce-SA.png\")
<\/a>E-commerce SA<\/p><\/div>\n
Among the websites listed on XSSposed are South African e-commerce players Takealot, Makro, Game, OLX, Spree, Zando, and Raru.<\/p>\n
Some of the vulnerabilities reported are already listed as fixed, while others are still in the \u201chold\u201d phase, allowing sites to patch issues before they are\u00a0disclosed.<\/p>\n
Takealot.com<\/strong>\u00a0had a vulnerability in its search system reported on 14 July 2015 which was patched on 4 August. A new vulnerability was reported on 27 July, which is still \u201con hold\u201d.<\/p>\nTakealot was asked for feedback about the security flaws, but the company did not respond by the time of publication.<\/p>\n
Raru\u00a0<\/strong>had a vulnerability reported on 22 July which was\u00a0patched on 24 July, and has already been publicly disclosed.\u00a0Raru director Neil Smith said they patched the issue on the day they were alerted to it.<\/p>\n\u201cFrom a technical side, the vulnerability wasn\u2019t in the original site code, but introduced via changes we deployed later on,\u201d said Smith. He said\u00a0it\u00a0shows how important it is to test new code for security holes before deployment.<\/p>\n
Smith said their experience with XSSposed has been positive.<\/p>\n
\u201cIt helps alert website owners to potential problems on their sites. We also appreciate having enough time to close the vulnerabilities before the info goes public.\u201d<\/p>\n
Zando<\/strong> said it fixed the vulnerability on its site within a day.<\/p>\nMakro<\/strong> digital executive Paul van de Waal said they recently updated their online store, which included\u00a0security enhancements, which may have resolved the vulnerabilities reported on XSSposed.<\/p>\nThe vulnerabilities on Makro\u2019s site were reported on 23 July, when Van de Waal said the previous version of their site was still online.<\/p>\n
\u201cUnfortunately, we have not had a chance to contact the researcher who submitted the requests so we cannot validate what issues were detected.”<\/p>\n
He added that the work Makro\u00a0does with its\u00a0third-party security consultants makes it\u00a0confident that there are no major\u00a0security flaws on its\u00a0site.<\/p>\n
News websites, Autotrader, and Cars.co.za<\/h3>\n![\"AutoTrader\"](\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/07\/AutoTrader.jpg\")
<\/a>AutoTrader<\/p><\/div>\n
Other websites with reported vulnerabilities included those for Son, BusinessDay Live, Sunday World, Timeslive, The Daily Sun, and Eyewitness News.<\/p>\n
As with the e-commerce sites, many of the bugs have been patched already, while others are still on hold.<\/p>\n
Autotrader and Cars.co.za were also reported to have security flaws.\u00a0Asked for comment, Cars.co.za<\/strong> said it\u00a0has\u00a0implemented checks for XSS vulnerabilities.\u00a0AutoTrader<\/strong>\u00a0did not give comment by the time of publication.<\/p>\nStandard Bank<\/h3>\n![\"Standard](\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2013\/07\/Standard-bank.jpg\")
<\/a>Standard bank<\/p><\/div>\n
Of some concern is the XSS vulnerability reported on the website for Standard Bank, which is still listed as unpatched.<\/p>\n
The bank said it is aware of the issue and is deploying measures to mitigate any\u00a0risk.<\/p>\n
\u201cWe would like to emphasize that this is limited to the Standard Bank home<\/a><\/strong> page, which is essentially Standard Bank’s marketing interface,\u201d a spokesperson said.<\/p>\n\u201cStandard Bank\u2019s Internet Banking portal is not impacted by this in any way. As such the integrity of our client information remains intact.”<\/p>\n
Eskom<\/h3>\n![\"Eskom](\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/12\/Eskom-broken-2.png\")
<\/a>Eskom<\/p><\/div>\n
Eskom\u2019s website was listed as vulnerable to XSS attacks on 14 September 2014, and according to reports it is still vulnerable.<\/p>\n
The utility was asked about the listed security problems with its website, but has not responded to requests for comment.<\/p>\n
Update:<\/strong> Takealot has provided the following statement from its\u00a0Co-CEO and CTO\u00a0Willlem Van Biljon.<\/p>\nAt Takealot we take the security of our website extremely seriously.\u00a0We have ongoing technology\u00a0processes in place to monitor and repair any security vulnerabilities identified by our team or the wider technology community.<\/p>\n
The security flaws reported on the website XSSposed\u00a0on the 14th and 27th of July have been fixed by our technology team and we continue\u00a0to take steps to improve the security of our website.<\/p>\n
We are very grateful to the developer community who help us to identify any security flaws and remain committed to provide a safe environment where our customers can enjoying shopping with us.<\/p><\/blockquote>\n
More information security news<\/h3>\n
Cognition Holdings responds to security concerns<\/strong><\/a><\/p>\nHere\u2019s how easy it is for criminals to break into your car<\/strong><\/a><\/p>\nSuper cellphone spying machine in SA used to rig government tenders<\/strong><\/a><\/p>\n175,000 cheating South Africans may be exposed in Ashley Madison hack<\/strong><\/a><\/p>\n
<\/a>E-commerce SA<\/p><\/div>\n
Among the websites listed on XSSposed are South African e-commerce players Takealot, Makro, Game, OLX, Spree, Zando, and Raru.<\/p>\n
Some of the vulnerabilities reported are already listed as fixed, while others are still in the \u201chold\u201d phase, allowing sites to patch issues before they are\u00a0disclosed.<\/p>\n
Takealot.com<\/strong>\u00a0had a vulnerability in its search system reported on 14 July 2015 which was patched on 4 August. A new vulnerability was reported on 27 July, which is still \u201con hold\u201d.<\/p>\n Takealot was asked for feedback about the security flaws, but the company did not respond by the time of publication.<\/p>\n Raru\u00a0<\/strong>had a vulnerability reported on 22 July which was\u00a0patched on 24 July, and has already been publicly disclosed.\u00a0Raru director Neil Smith said they patched the issue on the day they were alerted to it.<\/p>\n \u201cFrom a technical side, the vulnerability wasn\u2019t in the original site code, but introduced via changes we deployed later on,\u201d said Smith. He said\u00a0it\u00a0shows how important it is to test new code for security holes before deployment.<\/p>\n Smith said their experience with XSSposed has been positive.<\/p>\n \u201cIt helps alert website owners to potential problems on their sites. We also appreciate having enough time to close the vulnerabilities before the info goes public.\u201d<\/p>\n Zando<\/strong> said it fixed the vulnerability on its site within a day.<\/p>\n Makro<\/strong> digital executive Paul van de Waal said they recently updated their online store, which included\u00a0security enhancements, which may have resolved the vulnerabilities reported on XSSposed.<\/p>\n The vulnerabilities on Makro\u2019s site were reported on 23 July, when Van de Waal said the previous version of their site was still online.<\/p>\n \u201cUnfortunately, we have not had a chance to contact the researcher who submitted the requests so we cannot validate what issues were detected.”<\/p>\n He added that the work Makro\u00a0does with its\u00a0third-party security consultants makes it\u00a0confident that there are no major\u00a0security flaws on its\u00a0site.<\/p>\n AutoTrader<\/p><\/div>\n Other websites with reported vulnerabilities included those for Son, BusinessDay Live, Sunday World, Timeslive, The Daily Sun, and Eyewitness News.<\/p>\n As with the e-commerce sites, many of the bugs have been patched already, while others are still on hold.<\/p>\n Autotrader and Cars.co.za were also reported to have security flaws.\u00a0Asked for comment, Cars.co.za<\/strong> said it\u00a0has\u00a0implemented checks for XSS vulnerabilities.\u00a0AutoTrader<\/strong>\u00a0did not give comment by the time of publication.<\/p>\n Standard bank<\/p><\/div>\n Of some concern is the XSS vulnerability reported on the website for Standard Bank, which is still listed as unpatched.<\/p>\n The bank said it is aware of the issue and is deploying measures to mitigate any\u00a0risk.<\/p>\n \u201cWe would like to emphasize that this is limited to the Standard Bank home<\/a><\/strong> page, which is essentially Standard Bank’s marketing interface,\u201d a spokesperson said.<\/p>\n \u201cStandard Bank\u2019s Internet Banking portal is not impacted by this in any way. As such the integrity of our client information remains intact.”<\/p>\n Eskom<\/p><\/div>\n Eskom\u2019s website was listed as vulnerable to XSS attacks on 14 September 2014, and according to reports it is still vulnerable.<\/p>\n The utility was asked about the listed security problems with its website, but has not responded to requests for comment.<\/p>\n Update:<\/strong> Takealot has provided the following statement from its\u00a0Co-CEO and CTO\u00a0Willlem Van Biljon.<\/p>\n At Takealot we take the security of our website extremely seriously.\u00a0We have ongoing technology\u00a0processes in place to monitor and repair any security vulnerabilities identified by our team or the wider technology community.<\/p>\n The security flaws reported on the website XSSposed\u00a0on the 14th and 27th of July have been fixed by our technology team and we continue\u00a0to take steps to improve the security of our website.<\/p>\n We are very grateful to the developer community who help us to identify any security flaws and remain committed to provide a safe environment where our customers can enjoying shopping with us.<\/p><\/blockquote>\n Cognition Holdings responds to security concerns<\/strong><\/a><\/p>\n Here\u2019s how easy it is for criminals to break into your car<\/strong><\/a><\/p>\n Super cellphone spying machine in SA used to rig government tenders<\/strong><\/a><\/p>\n 175,000 cheating South Africans may be exposed in Ashley Madison hack<\/strong><\/a><\/p>\nNews websites, Autotrader, and Cars.co.za<\/h3>\n
<\/a>Standard Bank<\/h3>\n
<\/a>Eskom<\/h3>\n
<\/a>More information security news<\/h3>\n