Network News

X My Profile
View More Activity

Creating a Public Nuisance with Insecure Web Sites

Thousands of Web sites that were cited last year for harboring security flaws that could be used to attack others online remain a hazard and an eyesore along the information superhighway.

At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user -- usually from something like a search box or e-mail form -- but do not prevent users from entering malicious code or other instructions.

Once the code is entered, the URL that the Web site spits back can then be used for phishing scams. Unlike other scams, the URLs used in these cases look more legitimate. A typical XSS attack usually goes like this: The bad guys send out e-mails designed to look like they were sent by a trusted e-commerce company. The e-mails instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site -- i.e., the hacker's own copy of a real login form -- the link puts the visitor on the Web site of the trusted brand, thereby giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker.

xssed.jpg

One site which does a tremendous job cataloging these XSS flaws is xssed.com, which listed nearly 13,000 Web pages that hosted XSS vulnerabilities, including a large number at trusted and high-traffic Web sites such as yahoo.com, google.com, msn.com, myspace.com and facebook.com, craigslist.com and cnn.com.

According to the latest Internet Security Threat Report from Symantec Corp., only 3 percent of those XSS flaws recorded at xssed.com last year were fixed. Ironically, Symantec's own site was recently featured on xssed.com as vulnerable to a nasty XSS flaw (Symantec has since fixed the problem).

XSS bugs can even be used to power Web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site Twitter.com to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue anti-virus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.

XSS flaws are some of the most common Web site vulnerabilities, but they are also usually fairly simple to fix. If your site is listed on xssed.com, or you'd simply like to know more about how to make sure your site isn't contributing to the problem, check out this primer from the Open Web Applications Security Project (OWASP). While you're there, you might want to take a look at some of the other best-practices documents they have available.

Interestingly, the login page for the official Web site of the RSA Conference next week in San Francisco, arguably the largest gathering of security company executives on the planet, contains a security flaw that could let attackers abuse the trust people place in the site, and RSA's brand. This vulnerability is a type of weakness often confused with XSS, called "cross-site request forgery" (CSRF).

An attacker could use this flaw in the RSA site as a launching pad to silently redirect users to another Web site, or potentially to corrupt the site's own database of registered users, said Lance James, founder of Secure Science Corp. and author of the book Phishing Exposed.

"With the clever methods of attack these days, such as poisoning search terms, having a vulnerability within a popular security conference could be devastating," James said.

RSA, if you're reading, OWASP has some decent primers on how to mitigate CSRF attacks as well.

By Brian Krebs  |  April 16, 2009; 6:27 PM ET
Categories:  Latest Warnings , Safety Tips  | Tags: cross-site scripting, rsa conference 2009, symantec, xssed.com  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hackers Test Limits of Credit Card Security Standards
Next: World's First Mac Botnet? Not Quite.

Comments

I guess scary is one word that comes to mind after reading your column(s) today.

Brian, a couple of questions, both of which refer to Firefox, which I use almost exclusively (W XP Home, plus just acquired a laptop with Vista Home Premium) :
1) NoScript add-on used. Since most sites will not work without scripting, I will "temporarily allow" just the site which I am browsing. How much protection does NoScript give me against the nasties you have recently been describing ?
2) I also use the Netcraft Anti-Phising Toolbar. Again, how much protection does that give me ?

I admit I am running as administrator.
Running as a guest just seemed too complicated, at least in XP (did not check it out in Vista yet).
Or maybe I am just lazy to set it up to browse not as an administrator.

Posted by: observer31 | April 16, 2009 9:30 PM | Report abuse

Oops!
Results for "washingtonpost" (limited to 20 entries per section)
XSS:
www.washingtonpost.com XSS vulnerability notified by tenest
www.washingtonpost.com XSS vulnerability notified by Uber0n
mobile.washingtonpost.com XSS vulnerability notified by mox

Posted by: Eremita1 | April 16, 2009 9:53 PM | Report abuse

Eremita1 -- Yes. Even the Post.com has had these. All of the three currently listed there at xssed.com that you point out have been fixed, and near as I can tell were fixed prior to today.

Now that I've gone and said that, you watch...someone will find a new one that's currently on wp.com.

Posted by: BTKrebs | April 16, 2009 11:03 PM | Report abuse

So sad that some people have so much time on their hands that they devise and send viruses, worms, etc. knowing that they can harm others. They may think it's great fun, or even self-righteously claim they are doing a service by point out security flaws, but if their work leads to me losing important personal financial or even just family-related files, not even having my identity stolen, would they care? Would they compensate me? Pretty disguting.

Posted by: Sutter | April 17, 2009 11:10 AM | Report abuse

BK, what am I missing on that search return page that indicates they have been fixed? Thanks.

Posted by: Eremita1 | April 17, 2009 1:53 PM | Report abuse

Eremita1 -- Have you tried testing any of those? If they were working, you would see a box pop up over top of the landing page. That doesn't happen. My guess is no one notified the site they were fixed.

Posted by: BTKrebs | April 17, 2009 2:59 PM | Report abuse

BK, not sure how to test them... but when I click one in the search result link, I get a more info page indicating that they have not been notified that it has been fixed. I will take your word for it. Thanks.

Posted by: Eremita1 | April 17, 2009 3:21 PM | Report abuse

I'd like an answer to that NoScript question that observer31 asked; I've been updating NoScript, and they always mention fighting XSS flaws.

Brian: do you think that NoScript is doing a good job?

Posted by: spenceradams | April 17, 2009 4:05 PM | Report abuse

noscript is great, but it is most useful when clicking links or visiting places you've never been before. the reason I say that is that once you trust a site, you're trusting it to load script. but we see all the time where legit sites get hacked or a banner ad running on that site gets hacked, and if you've trusted that site in noscript, then the add-on isn't going to save your bacon.

if you're running XP and can't be bothered to use the guest account or a limited account, maybe at least set up the browser itself to run in limited mode?

you can do with this with a program like "drop my rights." Read more about how to set it up here:

http://voices.washingtonpost.com/securityfix/2006/04/windows_users_drop_your_rights.html

Posted by: BTKrebs | April 17, 2009 4:18 PM | Report abuse

I have few sites that are "trusted." Even with sites like washingtonpost.com, I put up with the hassle of having to allow scripts one by one as they are needed. I do run Firefox under drop my rights (wish I could have a non-admin account) but I am paranoid so I put up with the frustration of constantly allowing and not allowing scripts and hope that I don't allow one that will get me in trouble. Seems a shame that such a great technology as the Internet is so compromised.

Posted by: Eremita1 | April 17, 2009 5:24 PM | Report abuse

BTKrebs:
well, I have a Mac, so should I even worry about it?
Let me know after the weekend, i.e., when you're having a life. I'll check back Monday.
Thanks as always.

Posted by: spenceradams | April 17, 2009 7:10 PM | Report abuse

Brian, re your comments 4:18pm :

First of all, thanks.

I went to your column for which you provided a URL at the end of your comments (description of how to set up "Drop my Rights").
Although I have not tried to follow it yet, upon reading it your instructions seem clear enough and I should be able to follow them.
I want to let you know that the URL provided in the last paragraph of your instructions (pointer to Microsoft's instructions) has become broken.

Posted by: observer31 | April 17, 2009 9:49 PM | Report abuse

@spenceradams: it doesn't matter that you use a Mac, you are equally vulnerable. XSS attacks are generally not OS-specific (but they can be browser-specific.)

On noscript... I many cases noscript can still detect a possible XSS attack even if you've marked a site as trusted. It does so by analyzing link URLs for suspicious patterns, rather than by script blocking.

I wrote a bit on the dangers of not fixing "simple" XSS issues, including (for example) the possibility of stock-price manipulation:

http://peekay.org/2009/03/23/chinks-in-the-armor/

(I hope it's ok to link to my blog rather than me copy/pasting everything here.)

Posted by: AdeBarkah | April 19, 2009 9:44 AM | Report abuse

Only 3% of XSS flaws fixed is not exactly confidence inspiring. It's worth the effort to do a little homework and not only figure out which sites are to be trusted but to know what "trusted" actually means. http://www.justaskgemalto.com/en/focus/how-do-i-make-sure-web-site-safe-when-i-shop-online is a great article for online retail.

Posted by: funkmasterflex57 | April 21, 2009 12:12 AM | Report abuse

AdeBarkah is right. NoScript offers a lot of protection even when scripts are allowed globally. In addition to checking for suspicious URLs, NoScript also protects you from clickjacking.

This article mentions CSRF attacks. I'd like to share an easy way to protect yourself against them. When you browse the web use two browsers, one for general surfing and one for sensitive activities (shopping, banking, etc). Having two windows of the same browser won't work, they need to be different browsers (for example, I browse the web with Firefox, but use Opera for banking, email, etc). As soon as you are done with the sensitive activity, log out. Don't have more than one tab at a time open on the browser that you use for sensitive transactions.

A CSRF relies on the fact that your browser will send your cookies from a specific domain along with any request made to that domain, even if the request comes from and image tag or iframe. If you carry out your sensitive activities in a different browser, those cookies are not available from the other browser.

Posted by: theaconiguerrillamailblockcom | April 22, 2009 10:05 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company