Cross-Site Scripting Flaws Abound
Security Fix has dedicated quite a bit of "ink" lately to covering the dangers of cross-site scripting flaws -- programming errors commonly found on commercial Web sites that phishers and online scam artists can use to trick users into giving away personal and financial data. Last month, we pointed to several such flaws on Web sites built by financial institutions.
But you wouldn't expect to see these kinds of flaws in the Web sites created by computer security companies and national security agencies, would you?
If you answered "no," think again. An interesting running thread over at the Russian security blog by Valery Marchuk -- SecurityLab.ru -- shows examples of several such flaws on sites belonging to -- among others -- Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, and the National Security Agency. Clicking on most of the links on the SecurityLab thread demonstrates the vulnerability in each site, with the exception of a few of the older ones, which appear to have been fixed.
Marchuk posted several of these examples a couple of weeks back on Full Disclosure, an unmoderated (read: rather poor signal to noise ratio) but highly read security mailing list, so it's somewhat surprising to see some of the flaws still present in these sites. F-Secure and Netcraft appear to have since corrected the flaws in their sites, but the others -- such as Verisign, and eEye -- were only posted yesterday, so it's not as surprising that they're not fixed yet.
Finding a cross-site scripting attack on the NSA's site is kind of fun I guess (or "l33t", if you will, in lame-brained hacker speak), but the Verisign one is potentially dangerous, given that Verisign has pretty much staked its reputation on ensuring that Web sites -- including its own -- are trustworthy. As I noted in previous posts, cross-site scripting (XSS) flaws occur when Web sites accept input from the user -- usually from something like a search box or e-mail form -- but do not properly filter that input to strip out or disallow potentially malicious code. The danger is that phishers and online scammers will exploit these types of flaws to make their scams appear more legitimate, because XSS vulnerabilities allow the attacker to force the target site to load content from somewhere else.
Take the XSS flaw in the NSA's site. As of this writing, if you click on this link (thanks to Sunbelt Software's Eric Sites for help in constructing this example), it will show this vulnerability in action, loading content from a third-party site within a page hosted on the NSA's site [the site content loaded in this example is a video clip from Justgotowned.com].
Remember, the attack is not altering the spy agency's site in any way; XSS attacks are, for the most part, "client-side" attacks, in that their impact is directed at the viewer's computer or browser. Anyway, the point is that this link would look innocent enough in an e-mail or instant message, but it could be used to redirect users to another site, such as one that tries to load malware or exploit browser security flaws.
Companies like eBay and Amazon, which have been favorite targets of phishers in the past, have taken hits for failing to secure their Web sites against XSS attacks. But the fact that the NSA and several prominent security companies also have trouble catching these flaws shows that this is a problem that is not likely to go away anytime soon.
I've put a call into the NSA for comment. After providing them with the link above, the spokesperson who answered my call said simply that the agency would look into the matter. But she didn't promise to get back to me for sure.
Update, 5:01 p.m. ET: The NSA appears to have fixed the XSS flaw on its site shortly after I notified them via e-mail.
August 15, 2006; 2:41 PM ET
Categories: Latest Warnings
Save & Share: Previous: The Black Hat Wireless Exploit Interview, Verbatim
Next: When Online Crooks Advertise
Posted by: Catawba | August 15, 2006 4:17 PM | Report abuse
Posted by: Pete from Arlington | August 16, 2006 3:51 PM | Report abuse
Posted by: DHFabian | August 17, 2006 12:29 PM | Report abuse
Posted by: Anonymous | August 24, 2006 1:08 PM | Report abuse
The comments to this entry are closed.