Cross-Site Scripting Hits Major Sites

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

The Cross Site Scripting FAQ

The Cross Site Scripting FAQ [cgisecurity.com]

Re:The Cross Site Scripting FAQ

I particularly like this example [dlitz.net].

Here's the spoiler [dlitz.net].

Re:I don't get XSS

Actually, CS 101 is data types and algorithms. Earning my CS degree taught me little of input validation. Most programmers learn security in one of two ways: proactively reading up on it or having one of their applications hacked. Unfortunately I think many average programmers don't consider input validation as much of a priority until after a hole they provided is exploited. When I ask many web developers what they do to prevent SQL injection attacks, for example, only about half have even considered it. Scary.

You get what you pay for with developers...

The biggest problem is farming everything in the world out to $8/hr guys in some foreign country. If you pay $8/hr, you're going to get an $8/hr guy. Keep in mind that Wal-Mart starts at $9/hr. Given these two statements, I fail to see why it's surprising that such simply fixed vulnerabilities continue to plague software.

2 cents,

QueenB

Re:I don't get XSS

That's it. They allow users in forum to post links, and URL. URL can have a lot of strange characters in it, & ? ! # etc... Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code, usually in order to steal cookies (therefore, an opened session) of the user watching the post. There seems to be a shield vs sword thing growing between attackers and web developers. You have numerous ways of "hiding" a code in an URL, hexadecimal notation, strange utf-8 characters and so on. Here again, an incomplete implementation of a standard is the cause of major headaches.

Re:I don't get XSS

Apparently, the basis of XSS is to make a link that appears like a valid URL but that will, in some clients, execute as a javascript code

No, that's just one way to do it. XSS is any insertion of Javascript code into a site that shouldn't be there, and there are a surprising number of ways to do that. <a href="javascript:alert('hi!')">text</a> is just one of the easier ones.

I say this because people need to be aware that links are not the only vector. My favorite one I've seen so far is <bgsound src='javascript:bad_code()'>. If you choose poorly and are trying to filter out bad tags (instead of what you should be doing, specifying only exactly what tags and attributes are allowed and forbidding anything else that looks like a tag), did you remember to block out the BGSOUND tag? If not, that auto-executes; it doesn't even need to be clicked. (IE may have closed that; I saw this in the IE 4 era.)

Re:The Cross Site Scripting FAQ

No it doesn't. Cross site scripting works by adding a script tag to the source page. For example, imagine you have allowed scripts from slashdot because you can't use the new comments system without it.

Now an evil hax0r manages to insert an XSS attack on slashdot what would happen is the attack would be embedded in a normal slashdot page, as a block. So the source would be from slashdot.org, and noscript would view it as being allowed.

Scripting?

<script language="javascript">document.write("It's very hard to check for XSS. I can understand why most people don't bother.")</script>

Finally

You know, I've been waiting for this feature on weather.com

Scanners not able to find XSS

The reason most vuln scanners can't find XSS vulns on modern sites is because of the increased amount of JavaScript and Flash (with ActionScript) that's in use. But some scanners [rapid7.com] can grok this stuff to varying degrees of completeness.

Move on...

So would it be technically possible at this point to move away from the web application and back to the client server app? Here's a path example:

* Java Client
* Servlet Interface for the client
* Java webstart deployment
* Java plugin on the clients

For this path the questions would surround authenticating the client and the hassle of installing the java plugin.

Rinse and repeat for the obligatory Microsoft solution.

I've never been a fan of web applications and form given the simplicity of creating an SQL injection attack or XSS for that matter. At least if the client application was built for the specific application you expose yourself to less or more obscure security vulnerabilities by nature.

In soviet russia..

.. XSS links YouTube

scanners

...and scanners are unable to find many of the issues on modern websites

Obviously the hackers can find systems with this vulnerability...ergo there exists a means to scan for it...

Draw you own conclusions from there...

But of course Slashdot...

...remains unaffec... FOJSF{09fiE*EU90av['vlwIOA934MAwadpskf[aepfkfa[-09 u9a

Re:But of course Slashdot...

A while ago, someone posted a link to a webpage that, when clicked, caused their post to be moderated up. Their post was at +5 for quite a while until enough replies got moderated up pointing out that the link wasn't what it claimed to be.

So, in a sense, Slashdot has already been hit by a cross-site scripting vulnerability. The fix for XSS vulnerabilities like that involves requiring a secret token to be sent to take user actions, to prevent people from creating forms off-site and submitting them as the user. I suppose checking the referrer may work too, but I wouldn't count on it.

Web 2.0 anyone?

Web 1.0: Simple fishing scam
Web 2.0: Cross-Site Scripting

Re:Web 2.0 anyone?

Bad assumption. If you're assuming everything is coming down correctly encoded you're a fool, all it takes is a bit of javascript that submits to your back end without encoding and *bang*

JavaScript/browser design flaw

Before web designers blame themselves for this, the existence of XSS is really a fundamental design flaw in the way JavaScript and browsers work. It should have been obvious as soon as JavaScript came out that these kinds of attacks would become a major issue over time, but the "ooh shiny" attitude of the computer industry meant that people adopted JavaScript without knowing what the implications were. In fact, the other big security hole and productivity drain of the industry, C/C++, got adopted in a similar way.

Writing any substantial piece of software in C, C++, or JavaScript without creating safety or security issues is extremely expensive and beyond the ability or resources of most developers. For C and C++, there are alternatives you can choose today. For JavaScript, you just have to minimize its use or simply not worry about it and let the client fix it with tools like NoScript.

I do my duty and report them. . .

but it's probably pointless. Not enough developers care about their craft.

There's a prominent "popular science" website out there (no, it's not this one [popularscience.com] that I'm thinking of) that has ENORMOUS XSS vulnerabilities in its image gallery. They pass captions and img src in URL encoded query string parameters. Yuck.

I noticed this about a year ago and reported it to the development team, with a demonstration link that put in a (sorta not nice) image and caption. No response, and when I checked six months ago the vulnerability was still there. So much for being a nice guy.

Too Lazy?

It looks like the attacks can be prevented by simple user input validation. Are the above mentioned high profile website developers/architects being too lazy or nobody knew about this type of vulnerability until recently ? I cant see how Joe Average will know about this exploit because he will not bother to read the query string(or even understand what it does) if it points to major website.

Experienced this firsthand.

I've seen the interesting effects of this first hand with a customers server, which I was tasked to unhack. Took a while to spot the reason the server was hacked because stupidly I didn't think of XSS when I considered the range of hacks that had occurred. When I did finally start grepping the access_logs and saw the rather odd things being passed through an enquiry form script things started to piece together. I've filched a copy of the script passed and its quite impressive, though its probably reasonble to stake a claim on the hacker not being the script writer given the sheer wealth of comments and how to customize tips present. n00bishly (but then I'm not employed to harden boxes, nor am I a website programmer) I didn't expect a site to be quite so vulnerable to such a range of exploitation through XSS. The script I have includes stuff to exploit unpatched mysql to create new users, passes a load of hex strings I won't even hazard a guess at their purpose etc. etc.
As a geek I appreciate it the technical qualities, as the guy who had to unhack an exploited server however.. :)

Aren't there any laws against these attacks?

Where is the law in these cases?

I'm sure there are ways to know who the hacker is, so why don't they use the information to catch the criminals and put them on trial?

Useful PHP Script

Which is why I always use SafeHTML [pixel-apes.com] whenever my applications ask for input.

Validate, Validate AND Validate

I'm a web developer and I've said this dozens of times.

VALIDATE ALL INPUT EVERYWHERE.

Validate on the client. (For bandwidth reduction)
Validate at the APP Tier (For security)
Validate at the Data Tier(For security and integrity)

If you accept input from a web page, scrub it, and that doesn't mean stripping brackets or quotes, it means putting in a list of valid characters and tossing or replacing absolutely everything else.

Yes, you might wind up validating something that doesn't need to be validated or scrubbing something that doesn't need to be, the performance hit is worth it.

Also, Stored Procedures are a great resource, if you design them properly you add an extra layer of security that can actually improve your application performance. (All my recent projects have Stored Procedure execute only rights.

If your db code has select * from table in it, you're doing it wrong.

Ok, enough ranting from me.

XSS attempts I've noticed

As a content manager for the U of Rochester when I was a student there, I witnessed thousands of attempts at XSS every month. All of this thanks to one idiot who decided he wanted to put a mambo website up on the student activities server, we had our main server breached and multiple websites defaced. once you're breached, everyone wants to try to hack you again. One interesting thing I noticed is that the majority of XSS attempts will try to call a script in a file with a .gif or .jpg name. This way, if a curious person sees the attempt and tries to visit the linked script, all they get is a broken image. However, the file_get_contents php function, or other such functions, will read those as PHP. I've seen these scripts uploaded to government websites, university servers and many other places. The one that was put on the U of Rochester server attempted to delete all of the files on the server and put in code for what looked like a perl proxy server (i dunno, it was kinda obfuscated, and I'm not too good at perl yet). The XSS scripts are quite complex, too. Some of them create HTML/javascript console interfaces for people to interact with the server as if they had an SSH connection. And they're all over the place. I've got a website that's had less than 1000 hits, and I've seen three separate attempts to use XSS on it.

PayPal had it yesterday

PayPal had it yesterday. I went there and got a cert pop up. The cert was for ebayobject.com, not www.paypal.com. Needless to say, I ran, and I ran fast.

XSS is Common Because Our Tools Are Broken

How many "web" templating systems do you know that automatically escape HTML unless told otherwise? I know of one that can be made to do so: Mason [masonhq.com]. Even then, you have to enable it, as it's not turned on by default.

What about PHP, ASP, JSP and so on? Will they ever grow up and automatically escape HTML by default? I doubt it very much.

In the meantime, there's always mod_security [modsecurity.org] if you're willing to invest the time configuring it. But it's no guarantee...

-Dom

Major vector: $PHP_SELF

I quite often see people using $PHP_SELF ( or better $_SERVER['PHP_SELF'] ) in their php applications (for example, for the form action on a self posting form). What most  of them don't realise is that it is user input, and very easy to inject any content into this.

I think this is a major XSS vector, because this is unknown (really now, wouldn't you expect a $_SERVER variable to be safe?)

For example:

<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="get">
   <input type="text" name="field" />
   <input type="submit" />
</form>

Going to - page.php/"<script>alert('xss');</script> will work quite nicely (note the trailing slash after the page name).

There's a good discussion of it at <URL:http://blog.phpdoc.info/archives/13-guid.html >

They've been around

They've been around much longer than this report suggests.

Any solution

Hi guys! I am still learning to build a trusted websites for my own used... any recommended sites for me to refer?

Re:Why?

For most contracts, if you aren't paying experienced developers, there should still be money in the budget for a pro to give the code the once over and do a sign-off.

Have you ever read poorly-written, newbish code?

For anything non-trivial, it would probably be quicker and cheaper to have the "pro" write the code in the first place than to pay him for his time to read, understand, and correct a steaming pile of turd spaghetti.

Re:Why?

What we have is total morons passing themselves off as web developers, just like we have thousands of "web designers" who don't know the meaning of the word "design".

"Web design" is for aesthetics and graphics people, like "interior design". Of course you run into problems when you have a web designer doing development work!

As for "No web developer has written XSS vulnerable code since 2002", I refer you to The Daily WTF [thedailywtf.com].

Re:FUD

who cares `bout XSS when we have IE 0dayz around...

People who only browse trusted sites and are suddenly having their IE installations exploited via those 0-days because somebody used an XSS attack to insert them into those sites.