XSS attacks are being used in combination with spear phishing, social engineering and drive-by attacks
Four XSS vulnerabilities have reportedly discovered on travel website TripAdvisor.com.
The researcher, going by the username Nasrul07, posted details of the discovery on xssposed.org, where they explained that the vulnerabilities allowed hackers to modify page content and carry out more complicated attacks such as stealing user credentials and posting false reviews.
A statement on the website read: “The vulnerability is still unpatched putting TripAdvisor.com users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.
Yesterday, an XSS vulnerability was found on Uber, which had just announced a pre-IPO financing round for $50 billion. The vulnerabilities put visitors at risk of being compromised via theft of cookies, personal details, authentication credentials and browser history.
Security vulnerabilities like these are a major threat as they offer an easy access front door for hackers to take advantage of. Websites certified as secure are often more vulnerable to hacking and, in its most recent blog post, information security expert High-Tech Bridge explains why XSS flaws like Uber and TripAdvisor’s are so dangerous, yet commonplace.
In a recent blog post covering the topic, Ilia Kolochenko, CEO of High-Tech Bridge’s ethical hacking services, said: “Today, there is no need to convince people that XSS (Cross-Site Scripting) was, is and probably will be the most popular web application vulnerability. However, many people, including security engineers, team leaders and web developers, still seriously underestimate the impact of Cross-Site Scripting vulnerabilities and their consequences.”
Many large companies install expensive web application firewalls (WAF) and regularly conduct penetration testing for their main, most critical website. At the same time they ignore security of numerous subdomains that they consider “less important” for business continuity. The problem is that in many cases, for the sake of simplicity, usability and compatibility, cookies installed on the main website (e.g. www.site.com) will be valid for any subdomain like (education.site.com or jobs.site.com).
Kolochenko continued: “This means that an XSS vulnerability on a forgotten subdomain may be easily used to steal cookies from the main website, or from the other subdomains (e.g. e-banking.site.com that also sets cookies for *.site.com), even if they are located on completely different servers in different data centres.
“Quite often, particularly in large companies, different departments have their own websites and subdomains for testing reasons which are not designed to be secure, but their presence endangers the entire web infrastructure of the company. We are not even talking about the case when test area is located directly on the main website (e.g. www.site.com/secr3t/beta1/) but can be found by Google search.”
A spokesperson for Trip Advisor said they were aware of the vulnerabilities and claimed that the flaws have now been fixed.
They explained: “Protecting the security of our customer information is paramount. Two of the potential vulnerabilities we had previously fixed. The other two that impacted a couple of our site pages we had recently learned about, took immediate steps and have already fixed the issue on the site. There is no evidence that any consumers were impacted, and we will continue to monitor the situation.”
Stay up-to-date with all the latest security news. Sign up to our free newsletter!