Cross-site scripting, illustrated

Wired ThreatLevel Blog: Look Ma, I’m on Wired’s security blog reports a cross-site scripting vulnerability in the CIA’s web site and gives a convenient demo exploit. The exploit is benign enough, illustrating how JavaScript can be used to load an iframe on the CIA’s search results page containing arbitrary content. But the potential for mischief is significant. Imagine loading a phishing site this way. Or imagine this vulnerability on your bank’s home page.

Too often security vulnerabilities are abstract. This one, thanks to Wired, is pretty real. I’m surprised it’s still up, actually.