Big-name sites outted for XSS holes

What do adobe.com, yahoo.com, cbs.com, bbc.co.uk, microsoft.com, and vh1.com have in common?

Well, aside from the obvious (they're all domain names ending with "dot-something"), they've all earned the dubious distinction of being publicly exposed on ha.ckers.org's forum, sla.ckers.org, for suffering XSS vulnerabilities.

XSS, which stands for cross-site scripting, enables an attacker to inject hostile HTML and script code into the Web application user's browser session. According to Symantec's recently released Internet Security Threat Report: "Cross-site scripting attacks take place when Web applications gather data from a user or other source and then create an output of that data on a user's Web browser. Not only could this allow an attacker to steal confidential information, it could also allow an attacker to insert malicious code onto the host through malicious scripts."

Since August, contributors to the sla.ckers forum have been posting specific exploitable URLs on various Web sites that are ripe to be used for XSS attacks. According to research organization Mitre, XSS vulnerabilities have become tastier targets than attacks such as buffer overflows.

In addition to posting the XSS security flaws, posters on sla.ckers discuss the potential damage that malicious hackers could wreak with them. One individual, who goes by the screen name maluc, posted the following:

"Nonpersistent XSS are a dime a dozen, [I] can post them all day long.

and while it's correct to say they're not as volatile as persistent ones, they're still equally useful for phishing and cookie/form theft.

still though, i find that the persistent ones tend to have many more possibilities, and on juicier sites to boot.

for example: [a URL on myspace.com] allows persistent XSS from quicktime javascript injection, thanks to pdp for pointing that out on gnucitizen.org ... ."

The companies whose security holes have been outted may count themselves fortunate in that the contributors to sla.ckers.org purport not to be acting maliciously nor exploiting the vulnerabilities they find. Rather, they claim to be performing a public service by exposing the real dangers that XSS vulnerabilities pose.

Originators (i.e. the individuals who discover and report the security flaw) are supposed to contact organizations about their Web site's security vulnerability and attempt to work together to fix it, according to sla.ckers's full-disclosure policy. Failing that, the originator is free to post the security hole. "You basically have 5 days to return contact to the [originator], and must keep in contact with them *at least* every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem."

Originators do want credit for their work, though, according to the FDP. "Academia has historically and religiously provided credit when referencing all types of works and research; the issue provided by the originator should also be thought of as research, and the originator should be credited accordingly."

It continues: "Now, beyond that, it may be in the vendor's best interest to promote good relations with the researcher, and one suggested way is to provide updates and product licenses."

Sla.ckers members' XSS work has gotten some exposure of late on sites such as darkreading.com, prompting comments on the message board such as "Keep up the good work. Sooner or later companies will start taking this seriously" and "... Perhaps this will not just speed up the process but force companies to do something about it."

What do you think? Is sla.ckers performing a valuable public service with its controversial actions?

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies