It’s Time For XSS To Be Exterminated

XSS flaws are the most common vulnerabilities on the Internet. Website owners should kill them, says Tom Brewster

Your humble reporter was sent a strange direct message over Twitter from a close friend today. It read thusly: “If only everything was this easy. Trust me and check out this article: [LINK DELETED]”. Asked if he’d been hacked, he soon responded in the affirmative. I was not to be hoodwinked this time.

What that link may have led to, you see, was a cross-site scripting attack – that old spectre of the internet that continues to haunt an unnecessary number of websites. The latest WhiteHat Security report has shown over half (55 percent) of all sites contained an XSS flaw in 2011, making it the most common vulnerability on the web. That percentage won’t have dipped much in 2012.

What that means is that if you’re a normal web user, every day you’re likely to be visiting a site that could be letting hackers, whether from criminal networks or MI5-run basements, steal your information or spy on you. Marvellous news, isn’t it?

Making XSS ex-XSS

As with that other old-timer, SQL injection, killing XSS flaws need not be an overly onerous task. Granted, finding the vulnerabilities is known to be a tad tricky, but a wealth of tools, many of them free, can help IT teams identify where issues lie. Advice is not hard to come by either (see here from the Open Web Application Security Project).

Otherwise, staying safe is largely about having decent coders run over web applications with a fine-toothed comb. It’s not a one-time-only job either – the WhiteHat report showed 24 percent of XSS vulnerabilities were reopened in 2011. But many appear to be ignoring recommendations, probably tired of hearing ad nauseam how much their website security sucks.

But they should listen more. Perhaps website owners need a bit of a refresh about how serious XSS can be. So, XSS sees an attacker making a legitimate web server send a page to a target’s browser, containing a malicious script. This can be done in a variety of ways, but two stand out from the crowd.

The most common form of XSS occurs when a victim is tricked into sending malicious code to a vulnerable web server, which is then sent back to the user. For instance, a user could be sent an email link, which, when clicked, would have them send a string of JavaScript via an online form to the website’s server. Just as in legitimate web transactions, the server would read whatever was placed in that form and relay something – in this example a new web page – back to the user. Of course, in this case the page that is being delivered to the user contains malicious script, which will then be read by the user’s browser.

Link shortening services have made this method more attractive for attackers. They allow for suspicious-looking bits of URLs to remain hidden. That’s why services like Twitter are a fine platform to kick off an XSS hit.

Persistent XSS, meanwhile, is a remarkably simple attack method. It works on those sites where a malicious user can get JavaScript on a website server’s database. So, a permanently displayed profile name could actually feature a piece of nasty script, if the site does not properly check what is being put into the user name field. When other users go to that page, their machine will run the script.

In both scenarios, the JavaScript read by the user’s machine can do a whole load of horrible things, such as steal session credentials and cookies, capture keystrokes or completely take control of the victim’s browser. Without doing very much, cyber criminals can pilfer a lot of useful data. Evidently, website owners have to start taking XSS more seriously.

Those suckered into an XSS attack cannot escape blameless either. Just as I didn’t, don’t click on any suspect links, especially those sent from people claiming to be your buddies, pointing to purportedly fascinating content, or outrageous claims of people besmirching your fine reputation. Often people have sent me messages saying: “You won’t believe what people are saying about you” with some obviously dodgy link. At least I assume it’s dodgy and people aren’t really saying terrible things about me… they wouldn’t, would they?

Are you up on all the latest threats? Try our security quiz!