Sandro Gauci, founder of EnableSecurity, has revealed that six years on from his 2002 report into extended HTML form attacks the problem has simply refused to go away.

The original report included details of how attackers could abuse non-HTTP protocols in order to launch Cross Site Scripting attacks, even in a situation where the target web application was not itself vulnerable to XSS. This applied to most web browsers at the time. Now, he says, not much has changed.

"Six years later I’m releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays."

Gauci lists the following browsers as all being tested and vulnerable:

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8 (beta 1)
Opera 9.27
Opera 9.50
Safari 1.32
Safari 3.1.1

Of course, it is not that the vulnerabilities have just been ignored, but rather that these browsers have not managed to make it go away completely. The problem seems to lay with how they block ports, and how attackers exploit browser blacklists by using ports which are not on them.

Gauci concedes that a decent job has been done as far as the web forms which get exchanged with HTML servers are concerned, but not when we start talking about FTP, SMTP or any other non-HTTP server.

"When an attacker can control what is returned by the server, the victim becomes vulnerable to security issues" Gauci says.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.