Network News

X My Profile
View More Activity

Cross-Site Scripting Flaws Abound

Security Fix has dedicated quite a bit of "ink" lately to covering the dangers of cross-site scripting flaws -- programming errors commonly found on commercial Web sites that phishers and online scam artists can use to trick users into giving away personal and financial data. Last month, we pointed to several such flaws on Web sites built by financial institutions.

But you wouldn't expect to see these kinds of flaws in the Web sites created by computer security companies and national security agencies, would you?

If you answered "no," think again. An interesting running thread over at the Russian security blog by Valery Marchuk -- SecurityLab.ru -- shows examples of several such flaws on sites belonging to -- among others -- Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, and the National Security Agency. Clicking on most of the links on the SecurityLab thread demonstrates the vulnerability in each site, with the exception of a few of the older ones, which appear to have been fixed.

Marchuk posted several of these examples a couple of weeks back on Full Disclosure, an unmoderated (read: rather poor signal to noise ratio) but highly read security mailing list, so it's somewhat surprising to see some of the flaws still present in these sites. F-Secure and Netcraft appear to have since corrected the flaws in their sites, but the others -- such as Verisign, and eEye -- were only posted yesterday, so it's not as surprising that they're not fixed yet.

Finding a cross-site scripting attack on the NSA's site is kind of fun I guess (or "l33t", if you will, in lame-brained hacker speak), but the Verisign one is potentially dangerous, given that Verisign has pretty much staked its reputation on ensuring that Web sites -- including its own -- are trustworthy. As I noted in previous posts, cross-site scripting (XSS) flaws occur when Web sites accept input from the user -- usually from something like a search box or e-mail form -- but do not properly filter that input to strip out or disallow potentially malicious code. The danger is that phishers and online scammers will exploit these types of flaws to make their scams appear more legitimate, because XSS vulnerabilities allow the attacker to force the target site to load content from somewhere else.

Take the XSS flaw in the NSA's site. As of this writing, if you click on this link (thanks to Sunbelt Software's Eric Sites for help in constructing this example), it will show this vulnerability in action, loading content from a third-party site within a page hosted on the NSA's site [the site content loaded in this example is a video clip from Justgotowned.com].

Remember, the attack is not altering the spy agency's site in any way; XSS attacks are, for the most part, "client-side" attacks, in that their impact is directed at the viewer's computer or browser. Anyway, the point is that this link would look innocent enough in an e-mail or instant message, but it could be used to redirect users to another site, such as one that tries to load malware or exploit browser security flaws.

Companies like eBay and Amazon, which have been favorite targets of phishers in the past, have taken hits for failing to secure their Web sites against XSS attacks. But the fact that the NSA and several prominent security companies also have trouble catching these flaws shows that this is a problem that is not likely to go away anytime soon.

I've put a call into the NSA for comment. After providing them with the link above, the spokesperson who answered my call said simply that the agency would look into the matter. But she didn't promise to get back to me for sure.

Update, 5:01 p.m. ET: The NSA appears to have fixed the XSS flaw on its site shortly after I notified them via e-mail.

By Brian Krebs  |  August 15, 2006; 2:41 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Black Hat Wireless Exploit Interview, Verbatim
Next: When Online Crooks Advertise

Comments

As of 4:15PM today, the NSA link leads to a page that says:

>>Error Notice
Missing Template

The requested web page or an included file is missing.

Please go back to the previous page and verify the format and completeness of the link address before trying again.

Posted by: Catawba | August 15, 2006 4:17 PM | Report abuse

Be Alert, the World Needs More Lerts... er, l33ts."

Posted by: Pete from Arlington | August 16, 2006 3:51 PM | Report abuse

THANK YOU to Pete from Arlington, for that moment of comic relief, re "Be a Lert". I needed that! It took me a moment to "get it", but had I been taking a sip of coffee at the moment, I would now be wiping coffee off my 'puter screen.

Posted by: DHFabian | August 17, 2006 12:29 PM | Report abuse

Any reason you left Symantec off the list of security company sites that Valery found XSS on?

He claims he found 40 instances, which is very alarming.

Posted by: Anonymous | August 24, 2006 1:08 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company