SecurityTube

Expert Finds DOM-Based XSS Vulnerabilities on Kaspersky, Panda and AVG Sites

JB

Web security analyst David Sopas from Portugal has identified DOM-based cross-site scripting (XSS) vulnerabilities on the websites of three world-renowned security solutions providers: Kaspersky Lab, Panda Security and AVG Technologies.

Security firms often warn about the importance of properly secured websites. However, these days, websites are so complex that it’s hard not to miss a few vulnerabilities.

Luckily, researchers such as David Sopas can help companies address website flaws before they’re abused by malicious actors.

On the site of Kaspersky, the vulnerability was located on a bad validation of “location.hash” from jQuery. When the “tab” parameter of a URL was loaded, an attacker could have executed his own malicious code.