Russ McRee, GCIH, GCFA, CISSP is a security analyst doing incident response for the Windows Live Security Incident Management team. He's the author of ISSA Journal's monthly column toolsmith, and has written for Information Security, Linux Pro, SysAdmin and others, including an OWASP whitepaper. Prior speaking engagements include SecureWorld Expo, ISSA Northwest Regional, WSA SIG, RAID 2005, and Linuxfest Northwest.

Russ has been a board member of ISSA Puget Sound, and is a member of PACCISO, InfraGard and CCSA. Russ maintains holisticinfosec.org and blog. holisticinfosec.org.


Presentation Abstract

In the same mindset of a “month of browser, Mac OS X, PHP, etc. bugs” I challenged myself to find and report as many XSS (cross site scripting) vulnerabilities as possible in a 30 day period. The result was well more than 100 vulnerabilities in sites ranging from General Motors to George Mason University, 6 Secunia/CVE advisories for weak software, and a raging debate over the value of ScanAlert’s Hacker Safe label.

The discussion will include a technical dive into this epidemic, including methodology, tools, examples, inherent risks, and the need to aid the Internet community in remediating this issue as well other web application security lapses.