Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server. Still, Kevin Fernandez and Dimitris Pagkalos, two computer scientists who maintain XSSed.com, a site that has been tracking XSS vulnerabilities since February 2007, provided InformationWeek with a list of 62 Web sites certified as "Hacker Safe" on which XSS holes have been reported. The list includes brookstone.com, cafepress.com, cduniverse.com, gnc.com, mysecurewallet.nl, petsmart.com, and sportsauthority.com, among other familiar brands. The XSSed.com site tracks whether reported XSS flaws have been fixed, but such information may not be accurate if the site making the repairs, or the initial discoverer of the hole, fails to report the fix.

While XSSed.com data does not specifically correlate the presence of a "Hacker Safe" badge on a site with the time when an XSS vulnerability was active -- the certification could have been withdrawn while the hole was present and then reinstated -- security researchers report that some sites currently certified as "Hacker Safe" are also currently vulnerable to XSS attacks. As of Wednesday, Toastmasters.org, a Web site certified to be "Hacker Safe" by McAfee's ScanAlert service, was one such site.

Russ McRee, a Seattle-based computer security researcher, on Wednesday published information on his blog detailing a cross-site-scripting vulnerability that affects the Toastmasters.org site.

Toastmasters International aims to help people overcome their fear of public speaking. An employee of the organization said that no one was immediately available to speak about the group's Web site. Further calls to the organization were not returned.