Creating a Public Nuisance with Insecure Web Sites
Thousands of Web sites that were cited last year for harboring security flaws that could be used to attack others online remain a hazard and an eyesore along the information superhighway.
At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user -- usually from something like a search box or e-mail form -- but do not prevent users from entering malicious code or other instructions.
Once the code is entered, the URL that the Web site spits back can then be used for phishing scams. Unlike other scams, the URLs used in these cases look more legitimate. A typical XSS attack usually goes like this: The bad guys send out e-mails designed to look like they were sent by a trusted e-commerce company. The e-mails instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site -- i.e., the hacker's own copy of a real login form -- the link puts the visitor on the Web site of the trusted brand, thereby giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker.
One site which does a tremendous job cataloging these XSS flaws is xssed.com, which listed nearly 13,000 Web pages that hosted XSS vulnerabilities, including a large number at trusted and high-traffic Web sites such as yahoo.com, google.com, msn.com, myspace.com and facebook.com, craigslist.com and cnn.com.
According to the latest Internet Security Threat Report from Symantec Corp., only 3 percent of those XSS flaws recorded at xssed.com last year were fixed. Ironically, Symantec's own site was recently featured on xssed.com as vulnerable to a nasty XSS flaw (Symantec has since fixed the problem).
XSS bugs can even be used to power Web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site Twitter.com to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue anti-virus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.
XSS flaws are some of the most common Web site vulnerabilities, but they are also usually fairly simple to fix. If your site is listed on xssed.com, or you'd simply like to know more about how to make sure your site isn't contributing to the problem, check out this primer from the Open Web Applications Security Project (OWASP). While you're there, you might want to take a look at some of the other best-practices documents they have available.
Interestingly, the login page for the official Web site of the RSA Conference next week in San Francisco, arguably the largest gathering of security company executives on the planet, contains a security flaw that could let attackers abuse the trust people place in the site, and RSA's brand. This vulnerability is a type of weakness often confused with XSS, called "cross-site request forgery" (CSRF).
An attacker could use this flaw in the RSA site as a launching pad to silently redirect users to another Web site, or potentially to corrupt the site's own database of registered users, said Lance James, founder of Secure Science Corp. and author of the book Phishing Exposed.
"With the clever methods of attack these days, such as poisoning search terms, having a vulnerability within a popular security conference could be devastating," James said.
RSA, if you're reading, OWASP has some decent primers on how to mitigate CSRF attacks as well.
April 16, 2009; 6:27 PM ET
Categories: Latest Warnings , Safety Tips | Tags: cross-site scripting, rsa conference 2009, symantec, xssed.com
Save & Share: Previous: Hackers Test Limits of Credit Card Security Standards
Next: World's First Mac Botnet? Not Quite.
Posted by: observer31 | April 16, 2009 9:30 PM | Report abuse
Posted by: Eremita1 | April 16, 2009 9:53 PM | Report abuse
Posted by: BTKrebs | April 16, 2009 11:03 PM | Report abuse
Posted by: Sutter | April 17, 2009 11:10 AM | Report abuse
Posted by: Eremita1 | April 17, 2009 1:53 PM | Report abuse
Posted by: BTKrebs | April 17, 2009 2:59 PM | Report abuse
Posted by: Eremita1 | April 17, 2009 3:21 PM | Report abuse
Posted by: spenceradams | April 17, 2009 4:05 PM | Report abuse
Posted by: BTKrebs | April 17, 2009 4:18 PM | Report abuse
Posted by: Eremita1 | April 17, 2009 5:24 PM | Report abuse
Posted by: spenceradams | April 17, 2009 7:10 PM | Report abuse
Posted by: observer31 | April 17, 2009 9:49 PM | Report abuse
Posted by: AdeBarkah | April 19, 2009 9:44 AM | Report abuse
Posted by: funkmasterflex57 | April 21, 2009 12:12 AM | Report abuse
Posted by: theaconiguerrillamailblockcom | April 22, 2009 10:05 AM | Report abuse
The comments to this entry are closed.