Twitter XSS Exploit Patched

According to an article over at Mashable a potential XSS exploit was found and reported by a Twitter user earlier today. Twitter has already patched the vulnerability, but it illustrates how vigilant we have to be as developers. Never, ever, ever forget to sanitize all user input. It's not just your security on the line, it's your users' security, and that leaves you with a heaping pile of liability.

It's easy to overlook XSS if you don't have a comprehensive XSS filter between you and all user input. These exploits exist on myriad sites, so do serious SQL injection vulnerabilities which have enabled massive credit card fraud and other exploitation (in a recent case, SQL injection was used to capture over 150 million credit card numbers from banks and retail chains). The sad thing is they're not even difficult to do - anyone who knows a little SQL and/or Javascript can write an exploit quickly. Check out http://ha.ckers.org/xss.html for some good starting info on doing penetration testing on your site (and no worries about the link, believe me when I say anyone looking to hack your site already knows it).